New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API keys are completely broken #674
Comments
in core/API/Request.php parse_str is incorrectly used and overwrites all contents of $requestArray, thus erasing any supplied token_auth parameter. A new array should be passed to parse_str and the contents then merged into $requestArray.
$newAr = array(); |
http://www.php.net/manual/en/function.parse-str.php#84645 comments on the parse_str page which verify that parse_str does erase the contents of the second parameter before putting the results into it. |
Refactored in [1021] |
changeset 1021 does not change the affected code. I checked SVN before I submitted this bug, it is still present. https://github.com/piwik/piwik/blob/master/core/API/Request.php
parse_str($request, $requestArray) <-- $requestArray is now an empty array. Next line is if isset($requestArray['token_auth'])) ^ always false (unless token_auth is present in $request) But, we can see that token_auth is not present in $request plugins/VisitsSummary/Controller.php getVisits()
|
You can also test this bug by requesting any API plugin with an auth token and seeing that it does not work.
w/o patch you get a login HTML page. |
Sorry, but I think you misread the code and PHP docs. Yes, parse_str() stores its results in the second parameter (in this case, $requestArray). While it is true that we overwrite the previous contents of $requestArray where the code was earlier initialize, $requestArray is not an empty array. Without your mods and no token, I get:
If I use a valid token, I get the expected results for VisitsSummary.getVisits. (BTW your last example is not a valid API call.) |
I posted a blog comment about this but I think someone deleted my comment. All the api token authentication is completely busted. I had posted the fix in the comment, but now i can't find it. I don't see any mention in the changelog so I'm assuming it's not fixed.
The text was updated successfully, but these errors were encountered: