diff options
author | mattpiwik <matthieu.aubry@gmail.com> | 2010-11-26 00:14:22 +0300 |
---|---|---|
committer | mattpiwik <matthieu.aubry@gmail.com> | 2010-11-26 00:14:22 +0300 |
commit | 587cf47761e63573702bad278a4be0391717f34e (patch) | |
tree | 599491a6910e09d66b92e75d0bfe93fb813ba825 /plugins/Proxy | |
parent | d0d2599f473fe43614bbba6e9c15e113f782ef41 (diff) |
Refs #1711 - simplifying code: now homepage/license links link directly to the URL, and would expose referer. This is not an issue as, a plugin could anyway obtain a lot more information about the server anyway. In code, all URLs using Proxy&action=redirect are Piwik.org URLs.
git-svn-id: http://dev.piwik.org/svn/trunk@3360 59fd770c-687e-43c8-a1e3-f5a4ff64c105
Diffstat (limited to 'plugins/Proxy')
-rw-r--r-- | plugins/Proxy/Controller.php | 34 | ||||
-rw-r--r-- | plugins/Proxy/tests/Proxy.test.php | 46 |
2 files changed, 22 insertions, 58 deletions
diff --git a/plugins/Proxy/Controller.php b/plugins/Proxy/Controller.php index 709538c83d..130370fd6d 100644 --- a/plugins/Proxy/Controller.php +++ b/plugins/Proxy/Controller.php @@ -132,13 +132,7 @@ class Piwik_Proxy_Controller extends Piwik_Controller <meta http-equiv="refresh" content="0;url=' . $url . '" /> </head></html>'; } - - // standard redirect for other whitelisted URLs - if(self::isAcceptableRemoteUrl($url)) - { - Piwik_Url::redirectToUrl($url); - exit; - } + exit; } /** @@ -156,30 +150,4 @@ class Piwik_Proxy_Controller extends Piwik_Controller return false; } - /** - * Validate URL against a whitelist, so action=redirect can't be - * used as an open redirect proxy. - * - * @param string $url - * @return bool True if valid; false otherwise - */ - static public function isAcceptableRemoteUrl($url) - { - $homepageUrls = array(); - $listPlugins = Piwik_PluginsManager::getInstance()->readPluginsDirectory(); - - foreach($listPlugins as $pluginName) - { - $oPlugin = Piwik_PluginsManager::getInstance()->loadPlugin($pluginName); - $info = $oPlugin->getInformation(); - if((isset($info['homepage']) && $url == $info['homepage']) - || (isset($info['author_homepage']) && $url == $info['author_homepage']) - || (isset($info['license_homepage']) && $url == $info['license_homepage'])) - { - return true; - } - } - - return false; - } } diff --git a/plugins/Proxy/tests/Proxy.test.php b/plugins/Proxy/tests/Proxy.test.php index 2f9ce81e63..44f7986403 100644 --- a/plugins/Proxy/tests/Proxy.test.php +++ b/plugins/Proxy/tests/Proxy.test.php @@ -6,34 +6,30 @@ if(!defined('PIWIK_CONFIG_TEST_INCLUDED')) class Test_Piwik_Proxy extends UnitTestCase { - public function test_isAcceptableRemoteUrl() - { - Piwik::createConfigObject(); + public function test_isAcceptableRemoteUrl() + { + Piwik::createConfigObject(); - $data = array( - // piwik white list (and used in homepage) - 'http://piwik.org/' => array(true, true), + $data = array( + // piwik white list (and used in homepage) + 'http://piwik.org/' => array(true, true), - 'http://piwik.org' => array(true, false), - 'http://qa.piwik.org/' => array(true, false), - 'http://forum.piwik.org/' => array(true, false), - 'http://dev.piwik.org/' => array(true, false), - 'http://demo.piwik.org/' => array(true, false), + 'http://piwik.org' => array(true, false), + 'http://qa.piwik.org/' => array(true, false), + 'http://forum.piwik.org/' => array(true, false), + 'http://dev.piwik.org/' => array(true, false), + 'http://demo.piwik.org/' => array(true, false), - // not in the piwik white list - 'http://www.piwik.org/' => array(false, false), - 'https://piwik.org/' => array(false, false), + // not in the piwik white list + 'http://www.piwik.org/' => array(false, false), + 'https://piwik.org/' => array(false, false), + ); - // plugin author_homepage (must be an exact match) - 'http://clearcode.cc' => array(false, false), - 'http://clearcode.cc/' => array(false, true), - ); - - foreach($data as $url => $expected) - { - $this->assertEqual(Piwik_Proxy_Controller::isPiwikUrl($url), $expected[0], $url); - $this->assertEqual(Piwik_Proxy_Controller::isAcceptableRemoteUrl($url), $expected[1], $url); - } - } + foreach($data as $url => $expected) + { + $this->assertEqual(Piwik_Proxy_Controller::isPiwikUrl($url), $expected[0], $url); + $this->assertEqual(Piwik_Proxy_Controller::isAcceptableRemoteUrl($url), $expected[1], $url); + } + } } |