When I install Piwik 2.3.0, it is adding items to my request filtering. It adds .tpl, .twig, .php4, .php5, .inc, .in, .csv, .pdf, .log, .htm, .html and sets them to false on my IIS7 server. Did you all try to add these as true? I get the following error:
Failed to load HTML file: Please check your server configuration. You may want to whitelist “*.html” files from the “plugins” directory. The HTTP status code is 404 for URL “plugins/CoreHome/angularjs/enrichedheadline/enrichedheadline.html”
Same happened to me. I had to go in and remove it, I know I did not add it in. Not very happy about That type of setting taking place without my knowledge.
I found the setting in piwik\plugins\Installation\ServerFilesGenerator.php on line 105 - 115. They are all set to false, but I think they should be true. I had to change it because if someone clicks on “check system” it sets them all to false and then the error shows. Not sure if they should be true though…
What is the problem with this code? I wasn’t aware that it could create issues to users. We did that to make Piwik implement default good security defaults. Let me know more, and how we should change it if you think so?
It looks like .csv, .pdf, .log, .htm, .html were added in release 2.3.0. To be honest, I’m not sure if these should be set to true or false, but when the .htm and .html are set to false, I get the error. Maybe just .htm and .html need to be set to true.
Certainly html is needed since there are html pages within Piwik. We have Piwik totally isolated and stand alone so a problem with Piwik can’t leak over into our production site however a small installation with a single server and not well isolated could have some of their production pages blocked if PDF for example are not allowed. Many sites store documentation in that format.