fixes MWP-1, add system report optional check if bots.yml is accessible

matomo-org · Oct 5, 2023 · 0265d90 · 0265d90
1 parent 0bc1a8a
commit 0265d90
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/classes/WpMatomo/Admin/SystemReport.php b/classes/WpMatomo/Admin/SystemReport.php
@@ -749,6 +749,28 @@ private function get_matomo_info() {
 					'value'   => ! empty( $matomo_url ),
 				];
 			}
+
+			// check that yml files are not accessible
+			$url    = plugins_url( 'app', MATOMO_ANALYTICS_FILE ) . '/vendor/matomo/device-detector/regexes/bots.yml';
+			$result = wp_remote_post(
+				$url,
+				array(
+					'method'    => 'GET',
+					'sslverify' => false,
+					'timeout'   => 2,
+				),
+			);
+			if ( is_array( $result ) ) {
+				$response_code = (int) $result['response']['code'];
+				if ( $response_code >= 200 && $response_code < 300 ) {
+					$rows[] = [
+						'name' => __( 'YML files should not be accessible', 'matomo' ),
+						'value' => 'warning',
+						'comment' => 'The .yml files in the wp-content/plugins/matomo/app/vendor directory are accessible from the internet. This can cause some web security tools to flag your website as suspicious. If you are using Apache, it is probably due to your server configuration disabling the use of .htaccess files. If you are instead using nginx, it is due to your nginx configuration allowing .yml files. You may need to contact your hosting provider to fix this.',
+						'is_warning' => true,
+					];
+				}
+			}
 		}
 
 		$rows[] = [