Add link to new FAQ how to make the diagnostic “Managing processes via CLI” show Ok #17527
Conversation
mattab
added
c: Platform
|
@mattab Actually it seems all other informational results are handled using this method: matomo/plugins/Diagnostics/Diagnostic/DiagnosticResult.php Lines 62 to 72 in 11f54ee So maybe we could add some kind of html escaping there, to prevent any injection coming from server configuration variables or HTTP headers. |
|
Sounds good @sgiehl - unfortunately i won't have time to finish the work on this so maybe someone can do it 🙈 |
|
We can look into this eventually as part of 4.4 release |
|
This issue is in "needs review" but there has been no activity for 7 days. ping @tsteur @sgiehl @diosmosis @flamisz |
github-actions
bot
added
the
Stale
|
If we escape the comment we won't be able to put the link in, correct? We could accomplish the same thing w/ another variable that's meant to not contain unsafe input (eg, |
github-actions
bot
removed
the
Stale
|
This issue is in "needs review" but there has been no activity for 7 days. ping @tsteur @sgiehl @diosmosis @flamisz |
github-actions
bot
added
the
Stale
…a CLI” show Ok NOTE: Had to add the |raw to the item.comment, which may have security risks if some of the "Informational" diagnostics will contain random content that may be injected by someone. Maybe we should audit all informational diagnostics. The new FAQ is: https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/
sgiehl
force-pushed
the
cli_process_faq
branch
2 times, most recently
from
6b13e1e
to
873fce4
Compare
|
@diosmosis I've rebased the branch and updated it so comments for informational items are escaped by default. Even though it currently seems unneeded, there is a new parameter to disable that. |
| @@ -77,7 +77,8 @@ public function execute() | |||
| } | |||
| $comment .= $this->translator->translate('Installation_NotSupported') | |||
| . ' ' . $this->translator->translate('Goals_Optional') | |||
| . ' (' . $this->translator->translate('General_Reasons') . ': ' . $reasonText . ')'; | |||
| . ' (' . $this->translator->translate('General_Reasons') . ': ' . $reasonText . ')' | |||
| . $this->translator->translate('General_LearnMore', [' <a target="_blank" href="https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/">', '</a>']); | |||
| $status = DiagnosticResult::STATUS_INFORMATIONAL; | |||
There was a problem hiding this comment.
@sgiehl So, below, we still need to set $escapeComment to false, right?
There was a problem hiding this comment.
actually not, as it doesn't use the informationalResult method, but created the DiagnosticResultItem item directly
NOTE: Had to add the risky
|rawto the item.comment, which may have security risks if some of the "Informational" diagnostics will contain random content that may be injectable by someone or the system. Maybe we should audit all informational diagnostics?The new FAQ is: https://matomo.org/faq/troubleshooting/how-to-make-the-diagnostic-managing-processes-via-cli-to-display-ok/
Here is what it looks like:
Review