Page MenuHomePhabricator
Create Task
Maniphest T16678

API ignores $wgShowSQLErrors
Closed, ResolvedPublic
Actions

Description

Proposed patch

Revealing SQL query in cases of error poses security threat.

Version: unspecified
Severity: major

attachment HideQuery.patch ignored as obsolete

Details

Reference
bz14678

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:12 PM
bzimport added a project: MediaWiki-Action-API.
bzimport set Reference to bz14678.
MaxSem created this task.Jun 28 2008, 7:59 PM
brion added a comment.Jun 28 2008, 8:18 PM

Couple of quick comments:

First, the API code is also ignoring $wgShowExceptionDetails here (also set to false by default). The backtrace includes chunks of parameter strings and other info which can reveal part or all of the query, so I'd recommend making sure it checks both of these settings and follows them.

Second, a minor quibble -- is_a() is deprecated in PHP 5; use the instanceof operator instead in new code.

Otherwise looks good -- let's get the other setting patched in there and it's good to go!

MaxSem added a comment.Jun 28 2008, 8:37 PM

Created attachment 5034
$wgShowExceptionDetails too

Attached:

HideQuery.patch1 KBDownload

demon added a comment.Jun 29 2008, 12:07 AM

Modified patch applied in r36775.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL