New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add mod security check on installation #18064
Conversation
add mod security check
Please be aware this mod security check only works with apache, and only hosting providers allow that action. |
update lanaguage and modsecruity
update translation and mod check to apache check
update screen shoot
expected image looks wrong
# Conflicts: # plugins/Diagnostics/tests/UI/expected-screenshots/Diagnostics_page.png
"<a href='https://matomo.org/faq/troubleshooting/faq_100/' target='_blank'>FAQ</a>"); | ||
|
||
// mod security is detected | ||
if (function_exists('apache_get_modules') && in_array('mod_security', apache_get_modules())) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is anyone able to confirm that mod_security
will appear in the apache modules when it's installed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It won't when using php-fpm as then PHP has no direct "connection" to Apache. I can't say for another mode as I never used apache.
@sgiehl that not always worked, I tested on Plesk and Cpanel, that doesn't work, but on standard install, it works. Maybe we should use curl to test specify ModSecurity URL rules that will cause Matomo tracking problems or penitently cause problems instead. |
I actually don't know the problems that may occur when using mod_security so not sure what the best approach would be |
use sql inject check mod security. mod security on should return 403
reset curl url
# Conflicts: # plugins/Diagnostics/config/config.php # plugins/Diagnostics/tests/UI/expected-screenshots/Diagnostics_page.png # plugins/Installation/tests/UI/expected-screenshots/Installation_system_check.png
@tsteur any suggestion on that one, ModSecurity is deprecated by 2024. By research the common rule ModSecurity has is a SQL inject URL, but that could be blocked by WAF as well. Not sure the best approach to that one. 🤔 |
@peterhashair I suggest we close the PR and I could close the issue for now as a wontfix. We scheduled the issue thinking it was easy to do but turns out it's real complicated and we don't have a reliable way to check for it easily so I would say it's not needed for now. |
Description:
Fixes #3371
Add mod security check on the installation
Review