Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Plugin homepage link redirect fails #1711

Closed
anonymous-piwik-user opened this Issue · 6 comments

3 participants

Anonymous Piwik user Anthon Pang Matthieu Aubry
Anonymous Piwik user

When you specify a 'homepage' in getInformation() that is an absolute link to a website other than (qa|demo|dev|forum)?.piwik.org or http://clearcode.cc/, the redirect fails. This is because the homepage URL is passed to misc/redirectToUrl.php which contains the following code:

#!php
$url = htmlentities($_GET['url']);
if(!preg_match('~^http://(qa\.|demo\.|dev\.|forum\.)?piwik.org(/|$)~', $url)
&& !in_array($url, array(
    'http://clearcode.cc/',
))) { die; }

This makes it impossible to link to a non-piwik website.

Anthon Pang
Collaborator

We implemented a whitelist because people reported this as an xss vulnerability.

When you submit your plugin, include a request to whitelist your url.

Anonymous Piwik user

I see - thanks for the tip.

Matthieu Aubry
Owner

We should simply link to the author website link rather than pass it through the redirect script (in this case).

Anthon Pang
Collaborator

matt: It's no longer necessary to submit a request to whitelist a URL. The Proxy module automatically whitelists the URLs supplied by plugins' getInformation().

Anthon Pang
Collaborator

(In [3323]) refs #1711, refs #1014 - move plugin-specific logic out of Url.php to Proxy module; simplify code; re-org related tests

Matthieu Aubry
Owner

(In [3360]) Refs #1711 - simplifying code: now homepage/license links link directly to the URL, and would expose referer. This is not an issue as, a plugin could anyway obtain a lot more information about the server anyway. In code, all URLs using Proxy&action=redirect are Piwik.org URLs.

Anonymous Piwik user anonymous-piwik-user added this to the Piwik 1.1 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.