Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Handle matrix URI parameters to ignore parameters like ";jsessionid=..." #3187

Closed
catchin opened this Issue · 8 comments

2 participants

Fabian Kneißl Matthieu Aubry
Fabian Kneißl

How to reproduce:
Log visits from a Java EE webserver which handles the session parameter through [http://www.w3.org/DesignIssues/MatrixURIs.html matrix parameters], i.e. a url like
http://piwik.org;jsessionid=A3294FBE42?foo=bar
.[[BR]]Then piwik logs the url including the
;jsessionid=A3294FBE42
part although "jsessionid" is a parameter excluded from the query parameters.

Suggestion how to fix it:
PHP's parse_url function is apparently not handling matrix parameters yet, so we have to do it on our own. I don't know where the best position in the code is and where the function would be used elsewhere. For now, I modified core/Tracker/Action.php's excludeQueryParametersFromUrl as in the attached patch.
Probably there are better ways to fix it. If you suggest one to me, I can work out and test other patches.

Matthieu Aubry
Owner

Thanks for the patch. It would be nice to also fix: #3201 if you are able to submit a patch :) Also would be nice to add some tests in: /trunk/tests/core/Tracker/Action.test.php

Fabian Kneißl

Thanks for the hint. I added a fix for #3201 and also added some tests as you suggested.

Unfortunately, I cannot upload my patch, because I get the error "Submission rejected as potential spam (Maximum number of external links per post exceeded)". I now uploaded it here: http://textuploader.com/?p=6&id=F8aVM
Can someone who is allowed please attach the patch to this ticket?

Matthieu Aubry
Owner

Thanks for the patch!

Review note: We should check (add test) that when a parameter name is a XSS it is properly escaped in the report data UI (as we now do an additional urldecode() which could be dangerous)

Fabian Kneißl

I'm not so familiar with the urldecode behavior by means of XSS. I adapted the patch to remove the urldecode and replace it with a str_replace just for square brackets. Is this better/safer? http://textuploader.com/?p=6&id=RMDnM

Matthieu Aubry
Owner

Thanks for the patch, looks safer indeed.

Do your new tests test for all cases? Also why adding several times the same test at the bottom of the patch?

Fabian Kneißl

Thank you for reviewing!

The tests test for matrix parameters, matrix and normal parameters combined, and squared brackets. The last two tests are different indeed (the second one in addition uses two normal parameters), however with the same outcome (as matrix parameters are converted to normal ones).

Matthieu Aubry
Owner

(In [6659]) Fixes #3187 Handle java style matrix URLs
Fixes #3201 GET Parameter with square brackets can now be excluded properly

Thanks catchin for the patches!!
Please consider contributing further patches if you can :)

Fabian Kneißl catchin added this to the 1.8.3 - Piwik 1.8.3 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.