Make archive.sh not accessible via http #599

Closed
anonymous-piwik-user opened this Issue Mar 10, 2009 · 17 comments

Comments

Projects
None yet
4 participants
@anonymous-piwik-user

In the documentation http://piwik.org/docs/setup-auto-archiving/ should be a hint to place the archive.sh on another place than the document root. If it is in the document root everybody can download it and get the secret(?) api key.

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Mar 10, 2009

Contributor

Should also add a .htaccess file (Deny from all) for those who don’t RTM.

Also, in misc/cron/archive.sh, add ‘month’ to:

```
for period in day week year; do
```

Contributor

robocoder commented Mar 10, 2009

Should also add a .htaccess file (Deny from all) for those who don’t RTM.

Also, in misc/cron/archive.sh, add ‘month’ to:

```
for period in day week year; do
```

@anonymous-piwik-user

This comment has been minimized.

Show comment
Hide comment
@anonymous-piwik-user

anonymous-piwik-user Mar 10, 2009

“Deny from all” only restricts access on servers that recognise .htaccess. But better than nothing …

“Deny from all” only restricts access on servers that recognise .htaccess. But better than nothing …

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 10, 2009

Member

I totally agree with this and this should be fixed in the next release.
Ideally we shouldn’t need to edit this file at all, so the file wouldn’t contain any sensitive info:
- we should guess where the local php-cli sits (I think there are some unix commands to do that?)
- we should get the md5 password from config/config.ini.php
- call the piwik api: UsersManager.getTokenAuth (userLogin, md5Password) to get the token_auth

if you want to submit a patch to do that in shell in archive.sh that would be great :-)

vipsoft, we don’t need to add month as year archives all month and them sum months in the year to get the year data.

Member

mattab commented Mar 10, 2009

I totally agree with this and this should be fixed in the next release.
Ideally we shouldn’t need to edit this file at all, so the file wouldn’t contain any sensitive info:
- we should guess where the local php-cli sits (I think there are some unix commands to do that?)
- we should get the md5 password from config/config.ini.php
- call the piwik api: UsersManager.getTokenAuth (userLogin, md5Password) to get the token_auth

if you want to submit a patch to do that in shell in archive.sh that would be great :-)

vipsoft, we don’t need to add month as year archives all month and them sum months in the year to get the year data.

@pebosi

This comment has been minimized.

Show comment
Hide comment
@pebosi

pebosi Mar 11, 2009

Contributor

Attachment: first step is to get php5 path, or? :)
[get_php5_path.patch](http://issues.piwik.org/attachments/599/get_php5_path.patch)

Contributor

pebosi commented Mar 11, 2009

Attachment: first step is to get php5 path, or? :)
[get_php5_path.patch](http://issues.piwik.org/attachments/599/get_php5_path.patch)

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 11, 2009

Member

also we should update the documentation on http://piwik.org/docs/setup-auto-archiving/ when done (and clarify the last section, now override config file values should be done in config.ini.php

Member

mattab commented Mar 11, 2009

also we should update the documentation on http://piwik.org/docs/setup-auto-archiving/ when done (and clarify the last section, now override config file values should be done in config.ini.php

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 11, 2009

Member

to get current path of archive script automatically (to read config file)

http://fritzthomas.com/open-source/linux/384-how-to-get-the-absolute-path-within-the-running-bash-script/

Member

mattab commented Mar 11, 2009

to get current path of archive script automatically (to read config file)

http://fritzthomas.com/open-source/linux/384-how-to-get-the-absolute-path-within-the-running-bash-script/

@pebosi

This comment has been minimized.

Show comment
Hide comment
@pebosi

pebosi Mar 11, 2009

Contributor

Attachment: here’s a new version of archive.sh file, please review it. if i should create a patch, please ask.
[archive.sh.txt](http://issues.piwik.org/attachments/599/archive.sh.txt)

Contributor

pebosi commented Mar 11, 2009

Attachment: here’s a new version of archive.sh file, please review it. if i should create a patch, please ask.
[archive.sh.txt](http://issues.piwik.org/attachments/599/archive.sh.txt)

@pebosi

This comment has been minimized.

Show comment
Hide comment
@pebosi

pebosi Mar 11, 2009

Contributor

what i dont like on my version is getting username and password but not found an easier way yet…

Contributor

pebosi commented Mar 11, 2009

what i dont like on my version is getting username and password but not found an easier way yet…

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Mar 12, 2009

Contributor

Assuming the superuser section appears first in the config file, an alternative is to use sed, e.g.,

```
PIWIK_SUPERUSER=`sed ‘/^login = /!d;s///;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = /!d;s///;q’ $PIWIK_CONFIG`
```

Or if these are double quoted:

```
PIWIK_SUPERUSER=`sed ‘/^login = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
```

Contributor

robocoder commented Mar 12, 2009

Assuming the superuser section appears first in the config file, an alternative is to use sed, e.g.,

```
PIWIK_SUPERUSER=`sed ‘/^login = /!d;s///;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = /!d;s///;q’ $PIWIK_CONFIG`
```

Or if these are double quoted:

```
PIWIK_SUPERUSER=`sed ‘/^login = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^password = “*/!d;s///;s/”$//;q’ $PIWIK_CONFIG`
```

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 12, 2009

Member

code should be solid indeed, works for

```
login=root
login = root
login = “root”
login =root (with tab)
```

note:
- login & password cannot contain double quote, they would be encoded as " so it’s safe to sed out any double quote.
– I don’t think we can assume the [superuser] will be first, other sections containing password keys could be there below. However I think it can be done easily, by getting the line number of the [superuser] string using`
grep`, then grepping content from this line number using

```
tail -n+15 file # returns all lines after 15th line
```

Member

mattab commented Mar 12, 2009

code should be solid indeed, works for

```
login=root
login = root
login = “root”
login =root (with tab)
```

note:
- login & password cannot contain double quote, they would be encoded as " so it’s safe to sed out any double quote.
– I don’t think we can assume the [superuser] will be first, other sections containing password keys could be there below. However I think it can be done easily, by getting the line number of the [superuser] string using`
grep`, then grepping content from this line number using

```
tail -n+15 file # returns all lines after 15th line
```

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 12, 2009

Member

also, code could error if login is empty, or if password length <> 32

Member

mattab commented Mar 12, 2009

also, code could error if login is empty, or if password length <> 32

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Mar 12, 2009

Contributor

This delays the match until it sees the [superuser] section, and ignores whitespace and double quotes.

```
PIWIK_SUPERUSER=`sed ‘/^\[superuser\]/,$!d;/^login[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^\[superuser\]/,$!d;/^password[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
```

It’s not bulletproof, but if the [superuser] section isn’t properly configured, the user has a bigger problem than archive.sh not working.

Contributor

robocoder commented Mar 12, 2009

This delays the match until it sees the [superuser] section, and ignores whitespace and double quotes.

```
PIWIK_SUPERUSER=`sed ‘/^\[superuser\]/,$!d;/^login[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
PIWIK_SUPERUSER_PASSWORD=`sed ‘/^\[superuser\]/,$!d;/^password[ \t]=[ \t]“*/!d;s///;s/”[ \t]$//;q’ $PIWIK_CONFIG`
```

It’s not bulletproof, but if the [superuser] section isn’t properly configured, the user has a bigger problem than archive.sh not working.

@pebosi

This comment has been minimized.

Show comment
Hide comment
@pebosi

pebosi Mar 12, 2009

Contributor

Attachment: patch file with vipsoft sed version
[599_sed.patch](http://issues.piwik.org/attachments/599/599_sed.patch)

Contributor

pebosi commented Mar 12, 2009

Attachment: patch file with vipsoft sed version
[599_sed.patch](http://issues.piwik.org/attachments/599/599_sed.patch)

@pebosi

This comment has been minimized.

Show comment
Hide comment
@pebosi

pebosi Mar 12, 2009

Contributor

Attachment: forget to remove cat. new version
[599_sed_2.patch](http://issues.piwik.org/attachments/599/599_sed_2.patch)

Contributor

pebosi commented Mar 12, 2009

Attachment: forget to remove cat. new version
[599_sed_2.patch](http://issues.piwik.org/attachments/599/599_sed_2.patch)

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 19, 2009

Member

(In 990) – fixes #599 Make archive.sh not accessible via http; patch by pebosi and vipsoft!

Member

mattab commented Mar 19, 2009

(In 990) – fixes #599 Make archive.sh not accessible via http; patch by pebosi and vipsoft!

@mattab

This comment has been minimized.

Show comment
Hide comment
@mattab

mattab Mar 19, 2009

Member

thanks guys, and well done pebosi for your first patch :)

Member

mattab commented Mar 19, 2009

thanks guys, and well done pebosi for your first patch :)

@robocoder

This comment has been minimized.

Show comment
Hide comment
@robocoder

robocoder Mar 27, 2009

Contributor

Just a final comment to clarify this issue, classified by others as an “access vulnerability”.

Piwik is secure by default. Up to and including 0.2.32, archive.sh does not ship with the superuser’s API key and Piwik never configures this file with the superuser’s API key. Not through the installer, not through the admin panel (no faciliy provided to do this). archive.sh requires a Unix (or Unix-like) environment (i.e., bash script), and command line php5 to be installed.

By default, archiving is an internal Piwik process. The external archive.sh file is not required by default.

To a certain degree, this vulnerability is user error. To expose the API key, the user knowingly edits this file manually, and assumed to have sufficient Unix knowledge to set up a cron job, change file permissions, etc.

Contributor

robocoder commented Mar 27, 2009

Just a final comment to clarify this issue, classified by others as an “access vulnerability”.

Piwik is secure by default. Up to and including 0.2.32, archive.sh does not ship with the superuser’s API key and Piwik never configures this file with the superuser’s API key. Not through the installer, not through the admin panel (no faciliy provided to do this). archive.sh requires a Unix (or Unix-like) environment (i.e., bash script), and command line php5 to be installed.

By default, archiving is an internal Piwik process. The external archive.sh file is not required by default.

To a certain degree, this vulnerability is user error. To expose the API key, the user knowingly edits this file manually, and assumed to have sufficient Unix knowledge to set up a cron job, change file permissions, etc.

This issue was closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment