@GreenReaper opened this Issue on March 4th 2022

Expected Behavior

There are no notice boxes on the Matomo dashboard.

Current Behavior

Two errors are reported as orange message boxes on the dashboard just after update:

WARNING: /core/Url.php(234): Deprecated - strlen(): Passing null to parameter <a href='/1'>#1</a> ($string) of type string is deprecated - Matomo 4.8.0-rc1 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) (Module: CoreHome, Action: index, In CLI mode: false)
WARNING: /core/Url.php(235): Deprecated - strcspn(): Passing null to parameter <a href='/1'>#1</a> ($string) of type string is deprecated - Matomo 4.8.0-rc1 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) (Module: CoreHome, Action: index, In CLI mode: false)

Possible Solution

The code in question is within public static function isValidHost($host = false):

         // Only punctuation we allow is '[', ']', ':', '.', '_' and '-'
>        $hostLength = strlen($host);
>        if ($hostLength !== strcspn($host, '`~!@#$%^&*()+={}\\|;"\'<>,?/ ')) {
             return false;
         }

It occurs to me that there is no code prior to this that would be triggered by 'null'. Passing null does not trigger use of the default value. As PHP type comparisons show, they are not the same - false is 'not true', null means it is not initialized.

Perhaps the code could guard against this by adding a test for null to the block with the condition if ($host === false) { earlier on, that tries self::getHostFromServerVariable() instead, and failing that returns true.

Steps to Reproduce (for Bugs)

  1. Update to 4.8.0-rc1 via the automatic upgrade
  2. Visit main page after update and see the warning
  3. The warning does not appear after visiting the admin plugin page and and going back to the dashboard.

I ran service php8.1-fpm restart but I cannot be sure whether I did that before or after seeing the warning.

In case it matters: this server is processing proxy_passed from another server.

On the recieving processing server, the nginx config is:

        location = /piwik/matomo.php {
                # xxx main server proxying
                set_real_ip_from xxx.xxx.xxx.xxx;
                real_ip_header X-Forwarded-For;

                add_header Strict-Transport-Security "max-age=63072000";
                try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/run/php8.1-fpm-harmony-prod.sock;

                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/

                # Allow requests of up to half an hour
                fastcgi_read_timeout 1800;

                # Buffer response up to 128kb in 4kb chunks
                fastcgi_buffers 32 4k;
        }

On the sending server:

        location ~ /piwik[0-9]*/(matomo|piwik)\.php {

            # Proxy to yyy
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $http_host;
            proxy_set_header X-Forwarded-Uri /piwik;
            proxy_http_version 1.1;
            proxy_socket_keepalive on;
            proxy_read_timeout 5s;
            #proxy_set_header Host xxx.net
            proxy_pass https://yyy.yy.yyy.net

        }

Your Environment

  • Matomo Version: 4.8.0-rc1
  • PHP Version: PHP 8.1.3 (fpm-fcgi) (built: Feb 23 2022 16:07:16)
  • Server Operating System: Debian bullseye x86_64 on Linux 5.10.84
  • Nginx version: nginx version: nginx/1.21.6
  • Additionally installed plugins: CustomVariables, DevicePixelRatio (v2.0.0)
  • Browser: Firefox Nightly 99.0a1 (2022-03-03) (64-bit)
  • Operating System: Windows 10 Home 21H2 19044.1566
@sgiehl commented on March 4th 2022 Member

Thanks @GreenReaper for the report. We will try to fix this in the final version of 4.8.0

This Issue was closed on March 7th 2022
Powered by GitHub Issue Mirror