Page MenuHomePhabricator
Create Task
Maniphest T19506

Exceptions inside Exception ignore $wgShowExceptionDetails
Closed, ResolvedPublic
Actions

Description

Author: davidt

Description:
Display the backtrace only if the wgShowExceptionDetails flag is enabled.

When there's an exception inside an exception handler, (such as when the $name parameter to SkinTemplate::makeTalkUrlDetails() is passed as "User:"), the backtrace is printed to the screen in any case, wherever $wgShowExceptionDetails is enabled or not.

On production sites - this a security vulnerability, because it shows all the paths to the files on the servers.

Attached a patch that makes it print the backtrace only in the case that the wgShowExceptionDetails value is set.

Version: 1.13.x
Severity: normal
URL: http://wikicafe.metacafe.com

Attached:

mediawiki-1.13.4-ShowExceptionDetials.patch980 BDownload

Details

Reference
bz17506

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:30 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz17506.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 15 2009, 3:06 PM
bzimport added a comment.Feb 15 2009, 3:07 PM

davidt wrote:

The bug was found and fixed by David Tabachnikov and Romi Romano from Metacafe.

demon added a comment.Feb 16 2009, 4:34 AM

Done in r47305

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL