Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make proxy url only work for authenticated users, otherwise link to domain directly #3460

Closed
mattab opened this issue Oct 19, 2012 · 6 comments
Closed

Make proxy url only work for authenticated users, otherwise link to domain directly #3460

mattab opened this issue Oct 19, 2012 · 6 comments
Assignees
@diosmosis
Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Critical Indicates the severity of an issue is very critical and the issue has a very high priority.
Milestone
1.9.2

Comments

@mattab
Copy link
Member

mattab commented Oct 19, 2012

In Transitions the external links go through the proxy url. The proxy URL was changed to now accept any link when user has any view access. This poses the problem of open redirect on piwik servers with anonymous access open.

Therefore we should:

  • In transitions, link to Proxy URL only if user is not anonymous
  • Restrict proxy to work only if user is not anonymous
  • this logic should go through a smarty function 'proxylink' that would rewrite the URL when needed. Also check for classic cross site via url param.

Later as a follow up, we should also convert all external links to the proxy smarty function, so that the referrer is not leaked on all external links from a piwik server.

See: #3268
@mattab
Copy link
Member Author

mattab commented Oct 19, 2012

Once this ticket is done, let's do: #3268

@sgiehl
Copy link
Member

sgiehl commented Nov 6, 2012

Shouldn't that small change fix the main part of this issue? (see attached patch)

@sgiehl
Copy link
Member

sgiehl commented Nov 6, 2012

Attachment:
3460.patch.txt

@mattab
Copy link
Member Author

mattab commented Nov 7, 2012

Oh!! that's a very good find, which I think will fix the problem indeed!

SteveG can you please apply patch after double checking things work as expected but I think it will

@sgiehl
Copy link
Member

sgiehl commented Nov 7, 2012

(In [7397]) refs #3460 fixes XSS within proxy module; allow redirect only if user was referred from within current piwik instance

@mattab
Copy link
Member Author

mattab commented Nov 9, 2012

Thanks Stefan it looks good to me

@mattab mattab added this to the 1.9.2 - Piwik 1.9.2 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@diosmosis diosmosis

Labels
Bug For errors / faults / flaws / inconsistencies etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Critical Indicates the severity of an issue is very critical and the issue has a very high priority.
Projects
None yet
Milestone
1.9.2
Development

No branches or pull requests
3 participants
@diosmosis @mattab @sgiehl