Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

UI: use POST request instead of get to avoid parameters logging #3359

Closed
mattab opened this Issue · 44 comments

4 participants

@mattab
Owner

Currently, many admin features use ajax requests with GET parameters. Parameters can include the token_auth and therefore is sensitive information. The requests to piwik are usually logged in the apache/nginx/iis access logs.

Let's do a quick audit of the piwik source code, and change all these requests to POST, post params are not logged.

@pebosi

Created a patch changing some ajaxRequest.type's to POST

@pebosi

Attachment:
get-to-post.patch

@pebosi

Attachment: rm debug
get-to-post.2.patch

@sgiehl
Collaborator

(In [7309]) refs #3359 use POST instead of GET requests / do not send token_auth within query strings

@sgiehl
Collaborator

(In [7317]) fixes #3483, refs #3359 use GET to query for widgets as query string is used to build urls for sparklines

@sgiehl
Collaborator

(In [7322]) fixes #3487, refs #3359 refactoring ajax requests to use a global method to query for module actions

@BeezyT
Collaborator

If I remember correctly, I used GET in the helper method because something didn't work with POST. This change should be very well tested (i.e. every ajax request that is impacted by it).

I think there was a problem with multi row evolution but maybe also somewhere else.

@BeezyT
Collaborator

Also, I think I remember a problem with UTF8 urls and page titles in Transitions when using POST.

Will do some testing...

@BeezyT
Collaborator

(In [7338]) refs #3359: if the user passes a date to piwikHelper.ajaxCall, don't manipulate it in case of period=range

@BeezyT
Collaborator

I ended up not doing much testing because piwikHelper.ajaxCall looks a little weird to me... Most parameters are sent as URL and POST parameters which will most likely cause confusion/problems at some point.

How does PHP handle that anyway? Are the URL parameters in $_GET and the POST parameters in $_POST? That would indeed be confusing.

I would suggest to pass everything as URL parameters and only the token as a POST parameter. Having the rest in the logs can be useful if you want to analyze how Piwik is used.

@BeezyT
Collaborator

Note to the tester (or myself): two critical parts are (Multi) Row Evolution and Transitions because they rely on the encoding being intact after passing the value back and forth. Test with very long urls, utf8 urls, encoded urls, double encoded and urls with unencoded special characters. Do the same for page titles in Transitions. Also, check what other parts were affected by the change and test those AJAX requests.

@sgiehl
Collaborator

Ok. It should be the easiest way just to send the token_auth as POST and the rest as GET parameters. I'll change that, so there shouldn't be anymore problems caused by that.

@mattab
Owner

thanks for your tests on this, it really helps to know about the test cases etc.

Steve, it looks good to only put token_auth as POST!
Are all the other changes safe?

Note to testers: Check if fixing this also fixes the following bug:

  • In dashboard and in Visitors>Locations report, clicking Goal Icon displays zero everywhere. However data displays correctly in Goals>Overview report by Country. EDIT: is being tracked in: #3492 but possibly will be fixed here
@sgiehl
Collaborator

(In [7343]) refs #3359 only send token_auth as POST param

@mattab
Owner

(In [7351]) Ping will deploy to demo to test? Refs #3359

@sgiehl
Collaborator

(In [7355]) fixes #3265 pass disableLink param to the widgets
refs #3359 use global ajax method to fetch available widgets

@sgiehl
Collaborator

(In [7365]) refs #3359 use global ajax method

@sgiehl
Collaborator

(In [7367]) refs #3359 use global ajax method

@sgiehl
Collaborator

(In [7368]) refs #3359 use global ajax method for datatables

@sgiehl
Collaborator

(In [7370]) refs #3359 use global ajax method for goal management

@sgiehl
Collaborator

(In [7371]) refs #3359 do not send empty params in datatable requests (as they should not be needed)

@sgiehl
Collaborator

(In [7372]) refs #3359 use global ajax method for SEO widget

@sgiehl
Collaborator

(In [7385]) refs #3359 use global ajax method for privacy settings

@sgiehl
Collaborator

(In [7489]) refs #3359 moving ajax requests to a new ajax helper with more functionality as the old functions

@BeezyT
Collaborator

I think this is related to this ticket: When using a date range on the dashboard, some widgets don't work. The problem is that only the end date is sent and not "start,end".

Steve, could you take a look at this?

To reproduce

@sgiehl
Collaborator

I guess that should already be fixed in [7539]. But I'll take a closer look at that later.

@BeezyT
Collaborator

That change was after the latest beta. So you're probably right, Steve.

Matt, could you release another one? Is there anything else in trunk that is unstable at the moment?

@mattab
Owner

(In [7575]) Will release a new beta (sorry for delay @Timo) Refs #3359

@mattab
Owner

Beta is available at: http://piwik.org/piwik-1.9.3-b9.zip

Note: different path than usual while we're finalizing security improvements.

@sgiehl
Collaborator

(In [7582]) refs #3359 use new ajaxHelper for PDFReport management

@sgiehl
Collaborator

(In [7584]) refs #3359 use new ajaxHelper for general settings

@sgiehl
Collaborator

(In [7586]) refs #3359 use new ajaxHelper for sitesmanager

@sgiehl
Collaborator

(In [7587]) refs #3359 use new ajaxHelper for usersettings

@sgiehl
Collaborator

(In [7588]) refs #3359 use global ajax helper for usersmanager

@sgiehl
Collaborator

(In [7589]) refs #3359 use global ajax helper for mobilemessaging

@sgiehl
Collaborator

(In [7590]) refs #3359 marked some (now unused) methods as deprecated; small improvements

@sgiehl
Collaborator

(In [7591]) refs #3359 small fix

@sgiehl
Collaborator

(In [7592]) refs #3359 no need to set token_auth as get param as it will be sent as post

@mattab
Owner

Note: just saw that the real time live queyr every 10 seconds contain the token auth. Would be awesome to finish the refactoring or apply the change to the Live plugin.

@mattab
Owner

Btw SteveG awesome work& code on this one! Nice series of commits in this ticket ;-)

@sgiehl
Collaborator

Live plugin was fixed in [7750]

@mattab
Owner

Awesome!

PS: post commit hooks are temporarily broken (under investigation)

@sgiehl
Collaborator

I'm colsing this ticket for now. There shouldn't be anymore requests done by javascript using token_auth as get param. The only requests done, not using the new ajax helper, are within the feedback, login & install module. If anything is still left, please reopen.

@mattab
Owner

Nice refactoring & security improvement!

@mattab mattab added this to the 1.11 - Piwik 1.11 milestone
@sgiehl sgiehl was assigned by mattab
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.