Opened 20 months ago

Closed 15 months ago

Last modified 15 months ago

#3359 closed Task (fixed)

UI: use POST request instead of get to avoid parameters logging

Reported by: matt Owned by: SteveG
Priority: major Milestone: 1.11 - Piwik 1.11
Component: Security Keywords:
Cc: Sensitive: no

Description

Currently, many admin features use ajax requests with GET parameters. Parameters can include the token_auth and therefore is sensitive information. The requests to piwik are usually logged in the apache/nginx/iis access logs.

Let's do a quick audit of the piwik source code, and change all these requests to POST, post params are not logged.

Attachments (2)

get-to-post.patch (3.3 KB) - added by pebosi 19 months ago.
get-to-post.2.patch (3.2 KB) - added by pebosi 19 months ago.
rm debug

Download all attachments as: .zip

Change History (46)

comment:1 Changed 20 months ago by matt (mattab)

  • Component changed from Core to Security

comment:2 Changed 19 months ago by pebosi

Created a patch changing some ajaxRequest.type's to POST

Changed 19 months ago by pebosi

Changed 19 months ago by pebosi

rm debug

comment:3 Changed 18 months ago by SteveG (sgiehl)

(In [7309]) refs #3359 use POST instead of GET requests / do not send token_auth within query strings

comment:4 Changed 18 months ago by SteveG (sgiehl)

  • Owner changed from capedfuzz to SteveG
  • Status changed from new to assigned

comment:5 Changed 18 months ago by SteveG (sgiehl)

(In [7317]) fixes #3483, refs #3359 use GET to query for widgets as query string is used to build urls for sparklines

comment:6 Changed 18 months ago by SteveG (sgiehl)

(In [7322]) fixes #3487, refs #3359 refactoring ajax requests to use a global method to query for module actions

comment:7 Changed 18 months ago by EZdesign (BeezyT)

If I remember correctly, I used GET in the helper method because something didn't work with POST. This change should be very well tested (i.e. every ajax request that is impacted by it).

I think there was a problem with multi row evolution but maybe also somewhere else.

comment:8 Changed 18 months ago by EZdesign (BeezyT)

Also, I think I remember a problem with UTF8 urls and page titles in Transitions when using POST.

Will do some testing...

comment:9 Changed 18 months ago by EZdesign (BeezyT)

(In [7338]) refs #3359: if the user passes a date to piwikHelper.ajaxCall, don't manipulate it in case of period=range

comment:10 Changed 18 months ago by EZdesign (BeezyT)

I ended up not doing much testing because piwikHelper.ajaxCall looks a little weird to me... Most parameters are sent as URL and POST parameters which will most likely cause confusion/problems at some point.

How does PHP handle that anyway? Are the URL parameters in $_GET and the POST parameters in $_POST? That would indeed be confusing.

I would suggest to pass everything as URL parameters and only the token as a POST parameter. Having the rest in the logs can be useful if you want to analyze how Piwik is used.

comment:11 Changed 18 months ago by EZdesign (BeezyT)

Note to the tester (or myself): two critical parts are (Multi) Row Evolution and Transitions because they rely on the encoding being intact after passing the value back and forth. Test with very long urls, utf8 urls, encoded urls, double encoded and urls with unencoded special characters. Do the same for page titles in Transitions. Also, check what other parts were affected by the change and test those AJAX requests.

comment:12 Changed 18 months ago by SteveG (sgiehl)

Ok. It should be the easiest way just to send the token_auth as POST and the rest as GET parameters. I'll change that, so there shouldn't be anymore problems caused by that.

comment:13 Changed 18 months ago by matt (mattab)

thanks for your tests on this, it really helps to know about the test cases etc.

Steve, it looks good to only put token_auth as POST!
Are all the other changes safe?

Note to testers: Check if fixing this also fixes the following bug:

  • In dashboard and in Visitors>Locations report, clicking Goal Icon displays zero everywhere. However data displays correctly in Goals>Overview report by Country. EDIT: is being tracked in: #3492 but possibly will be fixed here
Last edited 18 months ago by matt (previous) (diff)

comment:14 Changed 18 months ago by SteveG (sgiehl)

(In [7343]) refs #3359 only send token_auth as POST param

comment:15 Changed 18 months ago by matt (mattab)

(In [7351]) Ping will deploy to demo to test? Refs #3359

comment:16 Changed 18 months ago by SteveG (sgiehl)

(In [7355]) fixes #3265 pass disableLink param to the widgets
refs #3359 use global ajax method to fetch available widgets

comment:17 Changed 18 months ago by SteveG (sgiehl)

(In [7365]) refs #3359 use global ajax method

comment:18 Changed 18 months ago by SteveG (sgiehl)

(In [7367]) refs #3359 use global ajax method

comment:19 Changed 18 months ago by SteveG (sgiehl)

(In [7368]) refs #3359 use global ajax method for datatables

comment:20 Changed 18 months ago by SteveG (sgiehl)

(In [7370]) refs #3359 use global ajax method for goal management

comment:21 Changed 18 months ago by SteveG (sgiehl)

(In [7371]) refs #3359 do not send empty params in datatable requests (as they should not be needed)

comment:22 Changed 18 months ago by SteveG (sgiehl)

(In [7372]) refs #3359 use global ajax method for SEO widget

comment:23 Changed 18 months ago by SteveG (sgiehl)

(In [7385]) refs #3359 use global ajax method for privacy settings

comment:24 Changed 17 months ago by SteveG (sgiehl)

(In [7489]) refs #3359 moving ajax requests to a new ajax helper with more functionality as the old functions

comment:25 Changed 17 months ago by EZdesign (BeezyT)

I think this is related to this ticket: When using a date range on the dashboard, some widgets don't work. The problem is that only the end date is sent and not "start,end".

Steve, could you take a look at this?

To reproduce

comment:26 Changed 17 months ago by SteveG (sgiehl)

I guess that should already be fixed in [7539]. But I'll take a closer look at that later.

comment:27 Changed 17 months ago by EZdesign (BeezyT)

That change was after the latest beta. So you're probably right, Steve.

Matt, could you release another one? Is there anything else in trunk that is unstable at the moment?

comment:28 Changed 17 months ago by matt (mattab)

(In [7575]) Will release a new beta (sorry for delay @Timo) Refs #3359

comment:29 Changed 17 months ago by matt (mattab)

Beta is available at: http://piwik.org/piwik-1.9.3-b9.zip

Note: different path than usual while we're finalizing security improvements.

comment:30 Changed 17 months ago by SteveG (sgiehl)

(In [7582]) refs #3359 use new ajaxHelper for PDFReport management

comment:31 Changed 17 months ago by SteveG (sgiehl)

(In [7584]) refs #3359 use new ajaxHelper for general settings

comment:32 Changed 17 months ago by SteveG (sgiehl)

(In [7586]) refs #3359 use new ajaxHelper for sitesmanager

comment:33 Changed 17 months ago by SteveG (sgiehl)

(In [7587]) refs #3359 use new ajaxHelper for usersettings

comment:34 Changed 17 months ago by SteveG (sgiehl)

(In [7588]) refs #3359 use global ajax helper for usersmanager

comment:35 Changed 17 months ago by SteveG (sgiehl)

(In [7589]) refs #3359 use global ajax helper for mobilemessaging

comment:36 Changed 17 months ago by SteveG (sgiehl)

(In [7590]) refs #3359 marked some (now unused) methods as deprecated; small improvements

comment:37 Changed 17 months ago by SteveG (sgiehl)

(In [7591]) refs #3359 small fix

comment:38 Changed 17 months ago by SteveG (sgiehl)

(In [7592]) refs #3359 no need to set token_auth as get param as it will be sent as post

comment:39 Changed 15 months ago by matt (mattab)

  • Priority changed from normal to major

Note: just saw that the real time live queyr every 10 seconds contain the token auth. Would be awesome to finish the refactoring or apply the change to the Live plugin.

comment:40 Changed 15 months ago by matt (mattab)

Btw SteveG awesome work& code on this one! Nice series of commits in this ticket ;-)

comment:41 Changed 15 months ago by SteveG (sgiehl)

Live plugin was fixed in [7750]

comment:42 Changed 15 months ago by matt (mattab)

Awesome!

PS: post commit hooks are temporarily broken (under investigation)

comment:43 Changed 15 months ago by SteveG (sgiehl)

  • Resolution set to fixed
  • Status changed from assigned to closed

I'm colsing this ticket for now. There shouldn't be anymore requests done by javascript using token_auth as get param. The only requests done, not using the new ajax helper, are within the feedback, login & install module. If anything is still left, please reopen.

comment:44 Changed 15 months ago by matt (mattab)

Nice refactoring & security improvement!

Note: See TracTickets for help on using tickets.