Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#1711 closed Bug (fixed)

Plugin homepage link redirect fails

Reported by: kamermans Owned by:
Priority: normal Milestone: Piwik 1.1
Component: Core Keywords:
Cc: Sensitive: no


When you specify a 'homepage' in getInformation() that is an absolute link to a website other than (qa|demo|dev|forum)? or, the redirect fails. This is because the homepage URL is passed to misc/redirectToUrl.php which contains the following code:

$url = htmlentities($_GET['url']);
if(!preg_match('~^http://(qa\.|demo\.|dev\.|forum\.)?|$)~', $url)
&& !in_array($url, array(
))) { die; }

This makes it impossible to link to a non-piwik website.

Change History (7)

comment:1 Changed 4 years ago by vipsoft (robocoder)

  • Keywords plugin redirect removed
  • Milestone set to 1.1 - Piwik 1.1
  • Resolution set to invalid
  • Status changed from new to closed

We implemented a whitelist because people reported this as an xss vulnerability.

When you submit your plugin, include a request to whitelist your url.

comment:2 Changed 4 years ago by kamermans

I see - thanks for the tip.

comment:3 Changed 3 years ago by matt (mattab)

  • Resolution invalid deleted
  • Status changed from closed to reopened

We should simply link to the author website link rather than pass it through the redirect script (in this case).

comment:4 Changed 3 years ago by vipsoft (robocoder)

matt: It's no longer necessary to submit a request to whitelist a URL. The Proxy module automatically whitelists the URLs supplied by plugins' getInformation().

comment:5 Changed 3 years ago by vipsoft (robocoder)

(In [3323]) refs #1711, refs #1014 - move plugin-specific logic out of Url.php to Proxy module; simplify code; re-org related tests

comment:6 Changed 3 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from reopened to closed

comment:7 Changed 3 years ago by matt (mattab)

(In [3360]) Refs #1711 - simplifying code: now homepage/license links link directly to the URL, and would expose referer. This is not an issue as, a plugin could anyway obtain a lot more information about the server anyway. In code, all URLs using Proxy&action=redirect are URLs.

Note: See TracTickets for help on using tickets.