diff options
| author | Kate Butler <kate@innocraft.com> | 2019-08-29 06:47:56 +0300 |
|---|---|---|
| committer | Thomas Steur <tsteur@users.noreply.github.com> | 2019-08-29 06:47:56 +0300 |
| commit | ad12a4ff5e711560124e086d80526ad43af24ce6 (patch) | |
| tree | 67705615c4bb24a9f25a768bb0fe4264f397d266 | |
| parent | 7cb5e48757d46bbbfc0b1f939b03c2733cd1e4f7 (diff) | |
Do tracker request validation/auth before start of processing (#14830)
* Validate request before we start processing
* Refactoring
| -rw-r--r-- | core/Tracker/Visit.php | 24 | ||||
| -rw-r--r-- | plugins/UserCountry/Columns/Base.php | 5 |
2 files changed, 28 insertions, 1 deletions
diff --git a/core/Tracker/Visit.php b/core/Tracker/Visit.php index 4099ede467..9449a4a0fc 100644 --- a/core/Tracker/Visit.php +++ b/core/Tracker/Visit.php @@ -17,6 +17,7 @@ use Piwik\Date; use Piwik\Exception\UnexpectedWebsiteFoundException; use Piwik\Network\IPUtils; use Piwik\Plugin\Dimension\VisitDimension; +use Piwik\Plugins\UserCountry\Columns\Base; use Piwik\Tracker; use Piwik\Tracker\Visit\VisitProperties; @@ -68,6 +69,14 @@ class Visit implements VisitInterface */ private $invalidator; + protected $fieldsThatRequireAuth = array( + 'city', + 'region', + 'country', + 'lat', + 'long' + ); + public function __construct() { $requestProcessors = StaticContainer::get('Piwik\Plugin\RequestProcessors'); @@ -88,7 +97,7 @@ class Visit implements VisitInterface private function checkSiteExists(Request $request) { try { - $this->request->getIdSite(); + $request->getIdSite(); } catch (UnexpectedWebsiteFoundException $e) { // we allow 0... the request will fail anyway as the site won't exist... allowing 0 will help us // reporting this tracking problem as it is a common issue. Otherwise we would not be able to report @@ -98,6 +107,17 @@ class Visit implements VisitInterface } } + private function validateRequest(Request $request) + { + // Check for params that aren't allowed to be included unless the request is authenticated + foreach ($this->fieldsThatRequireAuth as $field) { + Base::getValueFromUrlParamsIfAllowed($field, $request); + } + + // Special logic for timestamp as some overrides are OK without auth and others aren't + $request->getCurrentTimestamp(); + } + /** * Main algorithm to handle the visit. * @@ -128,6 +148,8 @@ class Visit implements VisitInterface $processor->manipulateRequest($this->request); } + $this->validateRequest($this->request); + $this->visitProperties = new VisitProperties(); foreach ($this->requestProcessors as $processor) { diff --git a/plugins/UserCountry/Columns/Base.php b/plugins/UserCountry/Columns/Base.php index 1b737bd053..1ee6ea9d18 100644 --- a/plugins/UserCountry/Columns/Base.php +++ b/plugins/UserCountry/Columns/Base.php @@ -26,6 +26,11 @@ abstract class Base extends VisitDimension protected function getUrlOverrideValueIfAllowed($urlParamToOverride, Request $request) { + return self::getValueFromUrlParamsIfAllowed($urlParamToOverride, $request); + } + + public static function getValueFromUrlParamsIfAllowed($urlParamToOverride, Request $request) + { $value = Common::getRequestVar($urlParamToOverride, false, 'string', $request->getParams()); if (!empty($value)) { |