Error: "Array offset on bool" in SecurityInfo. Matomo 4.1.0

dunozibyunpiot · December 22, 2020, 10:13pm

Surfing in the settings, I came across the Security tab, sorted below the Diagnostics header. Once there, I was greeted by a reassuring message that something was amiss. It had a warm orangy-tinted background and carried just the right amount of urgency to do exactly as it said:

WARNING: PATH TO MATOMO/plugins/SecurityInfo/PhpSecInfo/Test/Application/php.php(39): Notice - Trying to access array offset on value of type bool - Matomo 4.1.0 - Please report this message in the Matomo forums: https://forum.matomo.org (please do a search first as it might have been reported already) (Module: SecurityInfo, Action: index, In CLI mode: false)

But maybe, I am just the conscientious kind of person.

Anyways. Thanks for the great product. If you need more info I’m happy to help.

mezzomedia · December 23, 2020, 4:40pm

+1 on everything said and mentioned in this message.

Lukas · December 23, 2020, 5:55pm

Hi,

Thanks for reporting.

Applying this change (so adding this one line) should fix it:

diff --git a/core/Http.php b/core/Http.php
index 4377ebac7ab..d2d688657ec 100644
--- a/core/Http.php
+++ b/core/Http.php
@@ -595,6 +595,7 @@ public static function sendHttpRequestBy(
                 // curl options (sorted oldest to newest)
                 CURLOPT_URL            => $aUrl,
                 CURLOPT_USERAGENT      => $userAgent,
+                CURLOPT_ENCODING       => "",
                 CURLOPT_HTTPHEADER     => array_merge(array(
                     $xff,
                     $via,

github.com/matomo-org/matomo

always send an "Accept-Encoding" header with HTTP requests

matomo-org:4.x-dev ← matomo-org:accept-encoding-http

opened 05:48PM - 23 Dec 20 UTC

Findus23

+5 -0

This fixes a fun issue reported in https://forum.matomo.org/t/error-array-offset…-on-bool-in-securityinfo-matomo-4-1-0/39986 I originally blamed `safe_unserialize` to be broken, but it turned out that even a `Http::sendHttpRequest('https://php.net/releases/?json=1&version=7', $timeout);` was only returning garbled output. It turns out that whatever server the PHP team uses, assumes that when you use Firefox, you are always able to uncompress gzip-encoded content, even if it was not requested. (and Matomo forwards the User Agent of the user for its HTTP requests). ```bash ➜ ~ curl 'https://www.php.net/releases/?json=1&version=7' {"announcement":true,"tags":[],"date":"26 Nov 2020","source":[{"filename":"php-7.4.13.tar.gz","name":"PHP 7.4.13 (tar.gz)","sha256":"0865cff41e7210de2537bcd5750377cfe09a9312b9b44c1a166cf372d5204b8f","date":"26 Nov 2020"},{"filename":"php-7.4.13.tar.bz2","name":"PHP 7.4.13 (tar.bz2)","sha256":"15a339857e11c92eb47fddcd0dfe8aaa951a9be7c57ab7230ccd497465a31fda","date":"26 Nov 2020"},{"filename":"php-7.4.13.tar.xz","name":"PHP 7.4.13 (tar.xz)","sha256":"aead303e3abac23106529560547baebbedba0bb2943b91d5aa08fff1f41680f4","date":"26 Nov 2020"}],"version":"7.4.13"}% ➜ ~ curl 'https://www.php.net/releases/?json=1&version=7' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0' Warning: Binary output can mess up your terminal. Use "--output -" to tell Warning: curl to output it to your terminal anyway, or consider "--output Warning: <FILE>" to save to a file. ➜ ~ curl 'https://www.php.net/releases/?json=1&version=7' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:84.0) Gecko/20100101 Firefox/84.0' -H "Accept-Encoding: idendity" {"announcement":true,"tags":[],"date":"26 Nov 2020","source":[{"filename":"php-7.4.13.tar.gz","name":"PHP 7.4.13 (tar.gz)","sha256":"0865cff41e7210de2537bcd5750377cfe09a9312b9b44c1a166cf372d5204b8f","date":"26 Nov 2020"},{"filename":"php-7.4.13.tar.bz2","name":"PHP 7.4.13 (tar.bz2)","sha256":"15a339857e11c92eb47fddcd0dfe8aaa951a9be7c57ab7230ccd497465a31fda","date":"26 Nov 2020"},{"filename":"php-7.4.13.tar.xz","name":"PHP 7.4.13 (tar.xz)","sha256":"aead303e3abac23106529560547baebbedba0bb2943b91d5aa08fff1f41680f4","date":"26 Nov 2020"}],"version":"7.4.13"}% ``` So PHP curl recieved a gziped response even though it didn't request it and therefore didn't automatically unpack it. Adding `CURLOPT_ENCODING => ""` tells curl to always request all encodings it supports and therefore be able to handle any gzipped response. > |CURLOPT_ENCODING |The contents of the "Accept-Encoding: " header. This enables decoding of the response. Supported encodings are "identity", "deflate", and "gzip". If an empty string, "", is set, a header containing all supported encoding types is sent. |Added in cURL 7.10.| > |---|---|---| > > https://www.php.net/manual/en/function.curl-setopt.php ### Review * [ ] Functional review done * [ ] Usability review done (is anything maybe unclear or think about anything that would cause people to reach out to support) * [ ] Security review done [see checklist](https://developer.matomo.org/guides/security-in-piwik#checklist) * [ ] Code review done * [ ] Tests were added if useful/possible * [ ] Reviewed for breaking changes * [ ] Developer changelog updated if needed * [ ] Documentation added if needed * [ ] Existing documentation updated if needed