Merge branch 'dev/69'

2024-08-16 16:44:21 +02:00 · 2024-08-16 16:44:21 +02:00 · 1c5ebea422
parent c902a5ff1f 7779d71711
commit 1c5ebea422
3 changed files with 19 additions and 14 deletions
--- a/proxy/config.dist.php
+++ b/proxy/config.dist.php
@ -54,7 +54,6 @@ $target_open      = $target_civicrm . '/civicrm/mailing/open';
 //$target_url       = $target_civicrm . '/sites/all/modules/civicrm/extern/url.php';
 //$target_open      = $target_civicrm . '/sites/all/modules/civicrm/extern/open.php';

-
 /****************************************************************
 **                    GENERAL OPTIONS                         **
 ****************************************************************/
@ -97,6 +96,23 @@ if (file_exists(dirname(__FILE__)."/secrets.php")) {
  require "secrets.php";
 }

+// Parameter whitelisting for open tracking and URL tracking
+// basic civicrm URL/open parameter are u, q and qid (as int)
+// If additional parameters are needed, best practise would be to whitelist each one as needed in
+// $valid_url_parameters and/or $valid_open_parameters.
+// Alternatively it is also possible to allow all parameters with the wildcard parameter '*' => 'string'
+$valid_url_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // whildcard, whitelist all url parameters
+];
+$valid_open_parameters = [
+    'u'   => 'int',
+    'q'   => 'int',
+    'qid' => 'int',
+//    '*'   => 'string'     // wildcard, whitelist *all* open parameters
+];
 // CiviCRM's API can authenticate with different flows
 // https://docs.civicrm.org/dev/en/latest/framework/authx/#flows
 // CiviProxy supports 'header', 'xheader', 'legacyrest', and 'param'.
--- a/proxy/open.php
+++ b/proxy/open.php
@ -16,11 +16,5 @@ if (!$target_open) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('open');

-// basic restraints
-$valid_parameters = [
-  'q'   => 'int',
-  'qid' => 'int',
-];
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_open_parameters);
 civiproxy_redirect($target_open, $parameters);
--- a/proxy/url.php
+++ b/proxy/url.php
@ -16,10 +16,5 @@ if (!$target_url) civiproxy_http_error("Feature disabled", 405);
 // basic check
 civiproxy_security_check('url');

-// basic restraints
-$valid_parameters = array(  'u'   => 'int',
-                            'q'   => 'int',
-                            'qid' => 'int');
-
-$parameters = civiproxy_get_parameters($valid_parameters);
+$parameters = civiproxy_get_parameters($valid_url_parameters);
 civiproxy_redirect($target_url, $parameters);