New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
split private directories check into required and recommended #17889
Conversation
I'm not sure what the advantage of splitting everything into two classes is. Couldn't you just return Also I am not sure if I agree that the |
@Findus23 we definitely don't want to show a big security warning when lang/en.json is accessible especially because that likely means they are not using apache etc. Are you saying we should move |
Isn't this check not mainly a reminder for people not using Apache (and those using Apache with .htaccess disabled) that they need to manually take care of protecting files? |
I have implemented translation and added it for de and en. Not sure the wording is perfect but should give an impression. Also, I noticed that the translations are handled differently in the other code. Is this a legacy issue? Should I change that? See https://github.com/matomo-org/matomo/blob/m-17577/plugins/Diagnostics/Diagnostic/RequiredPrivateDirectories.php#L40 for example. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@geekdenz could we refactor this code so that we don't have duplicate code in both classes? Maybe one class could extend the other or so.
Also I think German translations we cannot provide directly in Github as they are managed through https://www.transifex.com/matomo/matomo/ by translators. In Github we only provide default translation in English.
Agree. It should be refactored. I was thinking to provide an abstract class that both extend.
Oh! Noted. Should I revert that change? |
That be good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@geekdenz it seems some directories are now no longer checked like lang/en.json
.
Could we also show the two diagnostic checks for the files one after another? Maybe first the required and then the recommended.
For the recommend file checks could we still show some kind of information what is wrong and the link to learn more? Maybe something like below
@geekdenz you need to fix this PR before requesting review - it's got the same problem we fixed on another one the other day with your merge gone wrong. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@geekdenz there is now an error when the config.ini.php
is not accessible. This is of all checks the most important one. When it is accessible, no messages shows up in the system check.
Also it passes two parameters to the method addError
when the method itself has only one parameter
Also left some other comments like it now executes the config.ini.php check twice.
|
||
// create test file to check if tmp/empty exists Note: This won't work in a load balanced environment! | ||
Filesystem::mkdir(PIWIK_INCLUDE_PATH . '/tmp'); | ||
file_put_contents(PIWIK_INCLUDE_PATH . '/tmp/empty', 'test'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we create this file in the RecommendedPrivacyDirectory
check as it is only needed there?
|
||
$result = new DiagnosticResult($label); | ||
|
||
$isConfigIniAccessible = $this->isAccessible($result, $baseUrl . 'config/config.ini.php', ';', 'trusted_hosts[]'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we execute this check only for the required directory check to speed things up etc?
reinstate logic but logic changes required and adapt from main branch to match requirements
@geekdenz I just started testing and was checking first thing the config file which wasn't working last time. It looks like it's still not working. This is what I'm getting when the config file is not writable. It says the above URLs are having issues but there is no URL. I won't continue testing further for now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@geekdenz seems to work 💯 left only one more comment to reuse an existing translation and then seems to work
I haven't tested again but I think it looks good to merge if there are no tests failing because of this. |
Not sure if these failing tests are related to this issue's fix, @tsteur : https://builds-artifacts.matomo.org/matomo-org/matomo/4.x-dev/48437/ |
Looks like those are related to the plugin updates last night @geekdenz. |
Hi @tsteur and @geekdenz, I'm still puzzled by the fact that I'm getting this private directories warning for my /lang/en.json file, even though I actually am running on Apache and there is a valid .htaccess file in the /lang directory. I wrote about this earlier here: As I understand it, your patch will simply mark this check as recommended, rather than required, but it seems to me that the underlying issue itself won't be resolved on my site, and I'd really like to figure out why Matomo says this file is exposed in my site, even though I'm running on Apache and have the .htaccess file there. Can either of you help with this? |
Hi @GermanKiwi could you maybe paste the content of that .htaccess in the comment below and also let us know what version of Apache you are using? Cheers |
Sure thing. Below is the contents of the .htaccess file inside the /lang directory. My site is running on Apache 2.4.41.
|
@GermanKiwi could you try to access From our perspective things look good and should work. I would actually recommend you get in touch with SiteGround as something doesn't look right there. But let's double check first there isn't an application error. Be great to know if you can request that file or not. |
Yeah, if I paste the URL for /lang/en.json into my browser (corrected for my own domain, of course), then it returns the full contents of that file in the browser. :( And if I check the HTTP response (using https://www.webconfs.com/http-header-check.php) it returns HTTP/1.1 200 OK |
Incidentally, I only got a warning about this from Matomo after updating to version 4.3.0. Not sure if that's relevant. |
@GermanKiwi before that we didn't have this check this is why you are seeing it only now. I recommend you get in touch with your hoster and ask them. I would assume they should be able to help you there. |
The most likely thing is that in the main apache configuration file of your server overriding settings via .htaccess files is disallowed and they therefore do nothing. (And if this is the case, this check is working as it notified you of this fact) |
fixes #17577
Description:
Some uncertainties in this PR:
Review