Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Outbound API/Plugin URL using HTTP instead of HTTPS can cause application blocking #19735

Open
Starker3 opened this issue Sep 14, 2022 · 4 comments
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.

Comments

@Starker3
Copy link
Contributor

We have a Matomo user that has configured their servers to block outbound requests that are sent over port 80 because they want to completely prevent insecure connections from being made.

When this port is blocked, several issues occur:

  1. The Matomo application in certain places in the UI are effectively blocking the UI from loading or responding while Matomo attempts to make a connection to the outbound server.
  2. The connection to the external hostname eventually fails which results in plugin update checks for example to fail.

I found one example of where the HTTP hostname is defined instead of the HTTPS hostname:
https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9

Potential solutions:

  • I guess the simplest would be to just change the hostnames for outbound connections to HTTPS, but this might break things for some servers that have outdated certificate bundles.
  • It would be great if we could use the HTTPS hostname by default and if that fails maybe try the HTTP hostname

But in either case, the timeout seems quite high for a failed connection at 60 seconds, which means that each time that page or a page that checks an external hostname is accessed, the Matomo UI would take a minimum of 1 minute to load. It would be good if this timeout was reduced to at least not block the page from loading for such a long time.

@Starker3 Starker3 added the Potential Bug Something that might be a bug, but can't be reproduced (yet). label Sep 14, 2022
@justinvelluppillai
Copy link
Contributor

We have completed #19081 recently, and will soon make these requests use https by default.

@Starker3
Copy link
Contributor Author

Thanks for the update @justinvelluppillai
Is there an existing issue for changing the URLs/hostnames to use HTTPS? If so we can close this one and rather track it there?

@justinvelluppillai
Copy link
Contributor

We don't have a public facing issue for this yet so this one can remain open 👍🏽

@justinvelluppillai justinvelluppillai added c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. and removed Potential Bug Something that might be a bug, but can't be reproduced (yet). labels Sep 19, 2022
@justinvelluppillai justinvelluppillai added this to the For Prioritization milestone Sep 19, 2022
@codegain
Copy link

codegain commented Oct 7, 2022

Hi, just wanting to throw in that the change here (https://github.com/matomo-org/matomo/blob/4.x-dev/plugins/Marketplace/config/config.php#L9) did in fact break my installation so that every request took more than 1 minute because of the long timeout defined in the marketplace plugin.

The server is only allowed to make outbound connections for https (TCP 443) and not http (TCP 80). I had to shut down the internet features via enable_internet_features=0 to see what's going on after what appeared to be a minor update (4.10.1 -> 4.12.0.

I would've liked to see that change in the changelog of 4.11 instead of only "a new config setting force_matomo_http_request" which is irrelevant to me. I now have to edit the plugins/Marketplace/config/config.php file to rewrite the URL to https because there seems to be no config option to override it (like api_service_url).

I only found out that the marketplace is not using https after dumping the URL in its service, maybe this could somehow be marked in the system diagnostics check with the curl-error if http://plugins.matomo.org is not reachable if the marketplace plugin is active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Projects
None yet
Development

No branches or pull requests

3 participants