From 23ead765c75eb9d97b79115e9700ead07fddc54b Mon Sep 17 00:00:00 2001 From: sgiehl Date: Mon, 30 Mar 2026 09:40:36 +0200 Subject: [PATCH] Fixes entry condition in matomo proxy --- matomo-proxy.php | 13 +++++++++---- tests/ProxyTest.php | 25 +++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 4 deletions(-) diff --git a/matomo-proxy.php b/matomo-proxy.php index 33c215e..bb2e2a3 100644 --- a/matomo-proxy.php +++ b/matomo-proxy.php @@ -27,10 +27,15 @@ $filerequest = isset($_POST['file']) ? $_POST['file'] : null; } -if ( - !(isset($filerequest) && in_array($filerequest, $VALID_FILES)) - && !(isset($module) && isset($action) && in_array("$module.$action", $SUPPORTED_METHODS)) -) { +$hasFileRequest = !empty($filerequest); +$hasSupportedMethod = !empty($module) && !empty($action) && in_array("$module.$action", $SUPPORTED_METHODS, true); + +if ($hasFileRequest) { + if (!in_array($filerequest, $VALID_FILES, true)) { + http_response_code(404); + exit; + } +} elseif (!$hasSupportedMethod) { http_response_code(404); exit; } diff --git a/tests/ProxyTest.php b/tests/ProxyTest.php index 77b48fc..bd7c35b 100644 --- a/tests/ProxyTest.php +++ b/tests/ProxyTest.php @@ -296,6 +296,31 @@ public function test_indexphp_blocked_post_requests_are_not_proxied() $this->assertEquals(404, $response->getStatusCode()); } + public function test_indexphp_requests_with_invalid_file_are_not_proxied_even_if_method_is_allowed() + { + $response = $this->send( + 'module=CoreAdminHome&action=optOut&file=plugins/CoreAdminHome/javascripts/notAllowed.js', + null, + null, + null, + '/matomo-proxy.php' + ); + $this->assertEquals(404, $response->getStatusCode()); + } + + public function test_indexphp_post_requests_with_invalid_file_are_not_proxied_even_if_method_is_allowed() + { + $response = $this->send( + 'module=CoreAdminHome&action=optOut&file=plugins/CoreAdminHome/javascripts/notAllowed.js', + null, + null, + null, + '/matomo-proxy.php', + 'POST' + ); + $this->assertEquals(404, $response->getStatusCode()); + } + public function test_indexphp_empty_requests_are_not_proxied() { $response = $this->send('', null, null, null, '/matomo-proxy.php');