#3187 closed Bug (fixed)

Handle matrix URI parameters to ignore parameters like ";jsessionid=..."

Reported by: catchin Owned by:
Priority: normal Milestone: 1.8.3 - Piwik 1.8.3
Component: Core Keywords:
Cc: Sensitive: no

Description

How to reproduce:
Log visits from a Java EE webserver which handles the session parameter through matrix parameters, i.e. a url like http://piwik.org;jsessionid=A3294FBE42?foo=bar.
Then piwik logs the url including the ;jsessionid=A3294FBE42 part although "jsessionid" is a parameter excluded from the query parameters.

Suggestion how to fix it:
PHP's parse_url function is apparently not handling matrix parameters yet, so we have to do it on our own. I don't know where the best position in the code is and where the function would be used elsewhere. For now, I modified core/Tracker/Action.php's excludeQueryParametersFromUrl as in the attached patch.
Probably there are better ways to fix it. If you suggest one to me, I can work out and test other patches.

Attachments (1)

piwik-matrix-parameters.patch (835 bytes) - added by catchin 23 months ago.

Download all attachments as: .zip

Change History (8)

Changed 23 months ago by catchin

comment:1 Changed 22 months ago by matt (mattab)

  • Milestone set to 1.8.x - Piwik 1.8.x

Thanks for the patch. It would be nice to also fix: #3201 if you are able to submit a patch :) Also would be nice to add some tests in: /trunk/tests/core/Tracker/Action.test.php

comment:2 Changed 22 months ago by catchin

Thanks for the hint. I added a fix for #3201 and also added some tests as you suggested.

Unfortunately, I cannot upload my patch, because I get the error "Submission rejected as potential spam (Maximum number of external links per post exceeded)". I now uploaded it here: http://textuploader.com/?p=6&id=F8aVM
Can someone who is allowed please attach the patch to this ticket?

comment:3 Changed 21 months ago by matt (mattab)

  • Milestone changed from 1.8.x - Piwik 1.8.x to 1.8.3 - Piwik 1.8.3

Thanks for the patch!

Review note: We should check (add test) that when a parameter name is a XSS it is properly escaped in the report data UI (as we now do an additional urldecode() which could be dangerous)

comment:4 Changed 21 months ago by catchin

I'm not so familiar with the urldecode behavior by means of XSS. I adapted the patch to remove the urldecode and replace it with a str_replace just for square brackets. Is this better/safer? http://textuploader.com/?p=6&id=RMDnM

comment:5 Changed 21 months ago by matt (mattab)

Thanks for the patch, looks safer indeed.

Do your new tests test for all cases? Also why adding several times the same test at the bottom of the patch?

comment:6 Changed 21 months ago by catchin

Thank you for reviewing!

The tests test for matrix parameters, matrix and normal parameters combined, and squared brackets. The last two tests are different indeed (the second one in addition uses two normal parameters), however with the same outcome (as matrix parameters are converted to normal ones).

comment:7 Changed 21 months ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [6659]) Fixes #3187 Handle java style matrix URLs
Fixes #3201 GET Parameter with square brackets can now be excluded properly

Thanks catchin for the patches!!
Please consider contributing further patches if you can :)

Note: See TracTickets for help on using tickets.