Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

redirect /index.php/.whatever?... URLs to /index.php?... to avoid Content-Type browser bugs #6156

Closed
diosmosis opened this issue Sep 8, 2014 · 4 comments
Closed

redirect /index.php/.whatever?... URLs to /index.php?... to avoid Content-Type browser bugs #6156

diosmosis opened this issue Sep 8, 2014 · 4 comments
Assignees
@mnapoli
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone
2.8.1

Comments

@diosmosis
Copy link
Member

Some old browsers determine a response's content by the URLs extension, and not the Content-Type HTTP header. Improper URLs like /index.php/.html?... can be used to cause bugs and inject code, so the weird URLs should be redirected when found.
@diosmosis diosmosis added this to the Piwik 2.8.0 milestone Sep 8, 2014
@mattab mattab added Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical. labels Sep 8, 2014
@tsteur
Copy link
Member

tsteur commented Sep 23, 2014

Do we support those old browsers?

@mattab
Copy link
Member

mattab commented Sep 23, 2014

maybe this is related to xss issue: #6053

@diosmosis
Copy link
Member Author

AFAIK it affects some newer versions of opera (though it's more of a UX issue for them) and some builds of IE8. I couldn't reproduce on IE8 via a VM so taking the word of the reporter.

@mnapoli
Copy link
Contributor

mnapoli commented Oct 8, 2014

Possible fix: #6404

@mnapoli mnapoli mentioned this issue Oct 9, 2014
Merged
mnapoli added a commit that referenced this issue Oct 9, 2014
@mnapoli
Added tests for #6156: test that correct urls are not redirected
1f82452
@mnapoli mnapoli self-assigned this Oct 10, 2014
@mattab mattab modified the milestones: Piwik 2.9.0, Piwik 2.8.0, Piwik 2.8.1 Oct 13, 2014
mnapoli added a commit that referenced this issue Oct 20, 2014
@mnapoli
Merge pull request #6404 from piwik/bugfix/6156
0efb54a 
Fixes #6156 Redirect /index.php/.whatever?... to /index.php?...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mnapoli mnapoli

Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Milestone
2.8.1
Development

No branches or pull requests
4 participants
@diosmosis @tsteur @mattab @mnapoli