Prevent path disclosure, automatically hide path from warning messages and backtraces #3620
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Task
Indicates an issue is neither a feature nor a bug and it's purely a "technical" change.
Milestone
Path disclosure results to a little piece of information disclosure, the path at which piwik is setup. We better not give out the information even though it is not a problem in itself, it can be used when other attack vectors would be available. Also many users report the bug and it would reduce email traffic and overhead.
The idea would be to automatically remove the path from the error messages, backtraces, in the custom error /exception handler. We could still display the path when the Super User is logged in, just because it would help making things clear.
But for anonymous or view/admin, we should replace the path with empty string.
The text was updated successfully, but these errors were encountered: