Skip to content

Prevent leaking backend user IP address to plugins.matomo.org #20998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 21, 2023
Merged

Prevent leaking backend user IP address to plugins.matomo.org #20998

merged 3 commits into from
Jul 21, 2023

Conversation

bx80
Copy link
Contributor

@bx80 bx80 commented Jul 11, 2023

Description:

Fixes #20713

This PR simply removes the code which modifies the X-FORWARDED-FOR header with the current user IP address in the HTTP class which prevents the unintentional leaking of the user IP to plugins.matomo.org, After analyzing the reason this code was originally added it was determined that it was incorrect to consider Matomo a proxy in this case and that any issues with outbound proxies should be solved at network and not application level.

A breaking change note is included in changelog.md to warn anyone using this header for outbound proxies that they may need to update their rules.

Review

@bx80 bx80 added Bug For errors / faults / flaws / inconsistencies etc. not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org. labels Jul 11, 2023
@bx80 bx80 added this to the 5.0.0 milestone Jul 11, 2023
@bx80 bx80 self-assigned this Jul 11, 2023
@bx80 bx80 added the Needs Review PRs that need a code review label Jul 11, 2023
sgiehl
sgiehl reviewed Jul 11, 2023
View reviewed changes
@github-actions
Copy link
Contributor

This issue is in "needs review" but there has been no activity for 7 days. ping @matomo-org/core-reviewers

@github-actions github-actions bot added the Stale The label used by the Close Stale Issues action label Jul 19, 2023
@bx80 bx80 removed the Stale The label used by the Close Stale Issues action label Jul 19, 2023
@bx80 bx80 requested a review from sgiehl July 19, 2023 22:09
@sgiehl sgiehl force-pushed the m20713-no-forwarded-header branch from d4a9db3 to 2cf55f5 Compare July 21, 2023 09:42
@sgiehl sgiehl merged commit 684e8f0 into 5.x-dev Jul 21, 2023
@sgiehl sgiehl deleted the m20713-no-forwarded-header branch July 21, 2023 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tsteur tsteur tsteur left review comments

@samjf samjf samjf left review comments

@sgiehl sgiehl Awaiting requested review from sgiehl

Assignees

@bx80 bx80

Labels
Bug For errors / faults / flaws / inconsistencies etc. Needs Review PRs that need a code review not-in-changelog For issues or pull requests that should not be included in our release changelog on matomo.org.
Milestone
5.0.0
Development

Successfully merging this pull request may close these issues.

Matomo leaks the IP address of the backend user to plugins.matomo.org
4 participants
@bx80 @tsteur @sgiehl @samjf