diff options
author | Kate Butler <kate@innocraft.com> | 2019-05-03 08:08:48 +0300 |
---|---|---|
committer | Thomas Steur <tsteur@users.noreply.github.com> | 2019-05-03 08:08:48 +0300 |
commit | 72df150735664275a60a7861e468c6ff3b152a14 (patch) | |
tree | f4aeec8c2ce873baa6221fdba77bcf195ca308fc /plugins | |
parent | a426194281492a4beaddf23cc7851822b2006a33 (diff) |
Fix CSRF vulnerability in opt-out when setCookieInNewWindow=1 (#14400)
* Fix CSRF vulnerability in opt-out when setCookieInNewWindow=1
* Add nonce to URL for setCookieInNewWindow
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/CoreAdminHome/OptOutManager.php | 12 | ||||
-rw-r--r-- | plugins/CoreAdminHome/templates/optOut.twig | 2 | ||||
m--------- | plugins/CustomDimensions | 0 |
3 files changed, 9 insertions, 5 deletions
diff --git a/plugins/CoreAdminHome/OptOutManager.php b/plugins/CoreAdminHome/OptOutManager.php index 8ee6690d99..b47f8c2cdc 100644 --- a/plugins/CoreAdminHome/OptOutManager.php +++ b/plugins/CoreAdminHome/OptOutManager.php @@ -175,12 +175,13 @@ class OptOutManager $reloadUrl = Url::getCurrentQueryStringWithParametersModified(array( 'showConfirmOnly' => 1, 'setCookieInNewWindow' => 0, + 'nonce' => Common::getRequestVar('nonce') )); } else { $reloadUrl = false; - $nonce = Common::getRequestVar('nonce', false); - if ($nonce !== false && Nonce::verifyNonce('Piwik_OptOut', $nonce)) { + $requestNonce = Common::getRequestVar('nonce', false); + if ($requestNonce !== false && Nonce::verifyNonce('Piwik_OptOut', $requestNonce)) { Nonce::discardNonce('Piwik_OptOut'); IgnoreCookie::setIgnoreCookie(); $trackVisits = !$trackVisits; @@ -192,11 +193,14 @@ class OptOutManager ? $language : LanguagesManager::getLanguageCodeForCurrentUser(); + $nonce = Nonce::getNonce('Piwik_OptOut', 3600); + $this->addQueryParameters(array( 'module' => 'CoreAdminHome', 'action' => 'optOut', 'language' => $lang, - 'setCookieInNewWindow' => 1 + 'setCookieInNewWindow' => 1, + 'nonce' => $nonce ), false); $this->addStylesheet($this->optOutStyling()); @@ -208,7 +212,7 @@ class OptOutManager $this->view->setXFrameOptions('allow'); $this->view->dntFound = $dntFound; $this->view->trackVisits = $trackVisits; - $this->view->nonce = Nonce::getNonce('Piwik_OptOut', 3600); + $this->view->nonce = $nonce; $this->view->language = $lang; $this->view->showConfirmOnly = Common::getRequestVar('showConfirmOnly', false, 'int'); $this->view->reloadUrl = $reloadUrl; diff --git a/plugins/CoreAdminHome/templates/optOut.twig b/plugins/CoreAdminHome/templates/optOut.twig index 478ce8ef69..5f2f8e9721 100644 --- a/plugins/CoreAdminHome/templates/optOut.twig +++ b/plugins/CoreAdminHome/templates/optOut.twig @@ -6,7 +6,7 @@ <title>{{ title }}</title> {% endif %} {% if reloadUrl %} - <meta http-equiv="refresh" content="0; url={{ reloadUrl }}&nonce={{ nonce }}" /> + <meta http-equiv="refresh" content="0; url={{ reloadUrl }}" /> {% endif %} {% if stylesheets.external|length > 0 %} diff --git a/plugins/CustomDimensions b/plugins/CustomDimensions -Subproject d5d552021eb810958ef7c2d93f433a6f29d5dda +Subproject a73d8a046a31808d6ea53a9655a49759842d918 |