@sgiehl opened this Pull Request on January 15th 2021 Member

Description:

It's currently possible to configure any url for downloading GeoIP databases from. Even though this option can be only changed by a super user and only if the GeoIP admin is enabled, limiting those options to only trusted hosts makes Matomo a little more secure. If someone needs to use the autoupdater to download files from somewhere else he can simply adjust the config.

For now the check is only done when setting the downloader option. Not sure if we should check that directly before download as well. Didn't add that yet, to prevent failures after a Matomo update if someone already has configured something else.

Review

  • [ ] Functional review done
  • [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support)
  • [ ] Security review done see checklist
  • [ ] Code review done
  • [ ] Tests were added if useful/possible
  • [ ] Reviewed for breaking changes
  • [ ] Developer changelog updated if needed
  • [ ] Documentation added if needed
  • [ ] Existing documentation updated if needed
@Findus23 commented on January 15th 2021 Member

It would be nice if the error message displayed to the user was translatable and would explain a bit more detailed what they need to do to fix it (or link to an FAQ entry).

@sgiehl commented on January 15th 2021 Member

@Findus23 good point. I've just improved the messages and made them translatable

This Pull Request was closed on January 19th 2021
Powered by GitHub Issue Mirror