Using .htaccess to restrict access

fdellwing · July 6, 2018, 6:56am

I just thought some more about this and will kindly suggest an additional change to the check.

# Allow Opt-Out
<Files "index.php">
 <If "(%{QUERY_STRING} =~ /^module\=CoreAdminHome\&action\=optOut(?!.*module\=)(?!.*action\=)/)">
   Require all granted
 </If>
</Files>

If someone wants to know why, take a look at this:

github.com/matomo-org/matomo

Supplying multiple HTTP parameters with the same name may cause Matomo to interpret values in unanticipated ways.

opened 08:27AM - 18 Jun 18 UTC

closed 09:39AM - 18 Jun 18 UTC

appyo

answered

When creating rewrite rules to block the login page from the internet (only optO…ut should be allowed), I found some strange behavior in Matomo v3.5.1. If someone adds parameters with the same name to the URL, then the original module and action will no longer be called. This makes it difficult to block the login page Example: https://##matomo-url##/index.php?module=CoreAdminHome&module=Login&action=optOut&action=index The expected behavior here should be the opt-out page, not the login page.

In short, someone could craft a link that matches the regex but does request completely different than the OptOut.