@mattab opened this issue on December 16th 2012

Path disclosure results to a little piece of information disclosure, the path at which piwik is setup. We better not give out the information even though it is not a problem in itself, it can be used when other attack vectors would be available. Also many users report the bug and it would reduce email traffic and overhead.

The idea would be to automatically remove the path from the error messages, backtraces, in the custom error /exception handler. We could still display the path when the Super User is logged in, just because it would help making things clear.

But for anonymous or view/admin, we should replace the path with empty string.

@mattab commented on January 5th 2013

from email

a[]=
/index.php?a[]=0&b=0&format=xml&method=ExampleAPI.getSum&module=API&token_auth=anonymous
Fatal error: Unsupported operand types in
/home/piwik-demo/www/demo.piwik.org/plugins/ExampleAPI/API.php on line
100
---------------------
b[]=
/index.php/index.php?a=0&b[]=0&format=xml&method=ExampleAPI.getSum&module=API&token_auth=anonymous
Fatal error: Unsupported operand types in
/home/piwik-demo/www/demo.piwik.org/plugins/ExampleAPI/API.php on line
100
----------------------
date[]=
/index.php?action=getEvolutionGraph&columns=revenue&date[]=1&evolutionBy=revenue&idSite=2&idsite=2&module=MultiSites&period=day&viewDataTable=sparkline
Fatal error: Call to a member function toString() on a non-object in
/www2/htdocs/piguik/core/Archive.php on
line 262
----------------------
fontSize[]=
/index.php?aliasedGraph=1&apiAction=getCountry&apiModule=UserCountry&date=last10&fontSize[]=9&format=rss&idSite=2&legendAppendMetric=1&method=ImageGraph.get&module=API&outputType=0&period=day&showLegend=1&token_auth=anonymous&translateColumnNames=
Fatal error: Unsupported operand types in
/www2/htdocs/piguik/plugins/ImageGraph/API.php
on line 163

Powered by GitHub Issue Mirror