@anonymous-piwik-user opened this Issue on September 20th 2010

When you specify a 'homepage' in getInformation() that is an absolute link to a website other than (qa|demo|dev|forum)?.piwik.org or http://clearcode.cc/, the redirect fails. This is because the homepage URL is passed to misc/redirectToUrl.php which contains the following code:

#!php
$url = htmlentities($_GET['url']);
if(!preg_match('~^http://(qa\.|demo\.|dev\.|forum\.)?piwik.org(/|$)~', $url)
&& !in_array($url, array(
    'http://clearcode.cc/',
))) { die; }

This makes it impossible to link to a non-piwik website.

@robocoder commented on September 20th 2010 Contributor

We implemented a whitelist because people reported this as an xss vulnerability.

When you submit your plugin, include a request to whitelist your url.

@anonymous-piwik-user commented on September 21st 2010

I see - thanks for the tip.

@mattab commented on November 16th 2010 Member

We should simply link to the author website link rather than pass it through the redirect script (in this case).

@robocoder commented on November 16th 2010 Contributor

matt: It's no longer necessary to submit a request to whitelist a URL. The Proxy module automatically whitelists the URLs supplied by plugins' getInformation().

@robocoder commented on November 18th 2010 Contributor

(In [3323]) refs #1711, refs #1014 - move plugin-specific logic out of Url.php to Proxy module; simplify code; re-org related tests

@mattab commented on November 25th 2010 Member

(In [3360]) Refs #1711 - simplifying code: now homepage/license links link directly to the URL, and would expose referer. This is not an issue as, a plugin could anyway obtain a lot more information about the server anyway. In code, all URLs using Proxy&action=redirect are Piwik.org URLs.

This Issue was closed on November 25th 2010
Powered by GitHub Issue Mirror