search

matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.9k stars 2.65k forks source link

[Bug] JavaScript Client getCookie doesn't escape metacharacters in cookie name #21998

Open lukaw3d opened 8 months ago

lukaw3d commented 8 months ago

What happened?

this.getCookie('namespace.abc') finds cookies using /(^|;)[ ]*_pk_namespace.abc.3.1fff=([^;]*)/. That matches slightly different cookies like _pk_namespaceEabcE3E1fff=value. Other regex metacharacters could break in worse ways.

Related code: https://github.com/matomo-org/matomo/blob/92a56901b303155d1197f2e5bfd4596204f76b88/js/piwik.js#L6154-L6155 https://github.com/matomo-org/matomo/blob/92a56901b303155d1197f2e5bfd4596204f76b88/js/piwik.js#L3265-L3269 https://github.com/matomo-org/matomo/blob/92a56901b303155d1197f2e5bfd4596204f76b88/js/piwik.js#L2476

What should happen?

Use a non-regex implementation for parsing cookies, or throw an error if cookieName parameter contains unsafe characters, or escape them

How can this be reproduced?

window._paq.push([
  function () {
    this.setSessionCookie('namespaceEabc', 'value1', 1000)
    this.setSessionCookie('namespace.abc', 'value2', 1000)
    console.log(this.getCookie('namespace.abc')) // prints value1
  },
])

Matomo version

5.0.2

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

No response

Computer operating system

No response

Relevant log output

No response

Validations

mneudert commented 8 months ago

Hi @lukaw3d, thanks for raising this issue.

I'll pass this on for prioritization.