New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add link to new FAQ how to make the diagnostic “Managing processes via CLI” show Ok #17527
Conversation
@mattab Actually it seems all other informational results are handled using this method: matomo/plugins/Diagnostics/Diagnostic/DiagnosticResult.php Lines 62 to 72 in 11f54ee
So maybe we could add some kind of html escaping there, to prevent any injection coming from server configuration variables or HTTP headers. |
Sounds good @sgiehl - unfortunately i won't have time to finish the work on this so maybe someone can do it 🙈 |
We can look into this eventually as part of 4.4 release |
This issue is in "needs review" but there has been no activity for 7 days. ping @tsteur @sgiehl @diosmosis @flamisz |
If we escape the comment we won't be able to put the link in, correct? We could accomplish the same thing w/ another variable that's meant to not contain unsafe input (eg, |
This issue is in "needs review" but there has been no activity for 7 days. ping @tsteur @sgiehl @diosmosis @flamisz |
…a CLI” show Ok NOTE: Had to add the |raw to the item.comment, which may have security risks if some of the "Informational" diagnostics will contain random content that may be injected by someone. Maybe we should audit all informational diagnostics. The new FAQ is: https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/
6b13e1e
to
873fce4
Compare
@diosmosis I've rebased the branch and updated it so comments for informational items are escaped by default. Even though it currently seems unneeded, there is a new parameter to disable that. |
@@ -77,7 +77,8 @@ public function execute() | |||
} | |||
$comment .= $this->translator->translate('Installation_NotSupported') | |||
. ' ' . $this->translator->translate('Goals_Optional') | |||
. ' (' . $this->translator->translate('General_Reasons') . ': ' . $reasonText . ')'; | |||
. ' (' . $this->translator->translate('General_Reasons') . ': ' . $reasonText . ')' | |||
. $this->translator->translate('General_LearnMore', [' <a target="_blank" href="https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/">', '</a>']); | |||
$status = DiagnosticResult::STATUS_INFORMATIONAL; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sgiehl So, below, we still need to set $escapeComment
to false, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually not, as it doesn't use the informationalResult
method, but created the DiagnosticResultItem
item directly
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
NOTE: Had to add the risky
|raw
to the item.comment, which may have security risks if some of the "Informational" diagnostics will contain random content that may be injectable by someone or the system. Maybe we should audit all informational diagnostics?The new FAQ is: https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/
Here is what it looks like:
Review