Make proxy url only work for authenticated users, otherwise link to domain directly #3460
Labels
Bug
For errors / faults / flaws / inconsistencies etc.
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Critical
Indicates the severity of an issue is very critical and the issue has a very high priority.
Milestone
In Transitions the external links go through the proxy url. The proxy URL was changed to now accept any link when user has any view access. This poses the problem of open redirect on piwik servers with anonymous access open.
Therefore we should:
Later as a follow up, we should also convert all external links to the proxy smarty function, so that the referrer is not leaked on all external links from a piwik server.
See: #3268
The text was updated successfully, but these errors were encountered: