php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67206 Hide password in exception stack trace
Submitted: 2014-05-05 10:44 UTC Modified: 2014-05-05 19:07 UTC
Votes:8
Avg. Score:4.2 ± 1.4
Reproduced:6 of 8 (75.0%)
Same Version:3 (50.0%)
Same OS:4 (66.7%)
From: sk at computer-leipzig dot com Assigned:
Status: Wont fix Package: PDO Core
PHP Version: Irrelevant OS:
Private report: No CVE-ID:
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-05-05 10:44 UTC] sk at computer-leipzig dot com
Description:
------------
Showing the password as default in the stack is for me a little bit against the philosophy to be a practical web development language. I have no idea how hard it is mark the password with ****** (6 star signs) as default, and only when some configuration is changed show the real password.

I do not verify this, but I expect it is relevant for every database connection wich is using a password. When it is mysql specific, a the change should apply to
PDO mysql only.

Expected result:
----------------
[15-Apr-2014 11:28:17] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2002] Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)' in /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Abstract.php:129
Stack trace:
#0 /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:host=loca...', 'a_database', '******', Array)
#1 /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect()


Actual result:
--------------
[15-Apr-2014 11:28:17] PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2002] Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)' in /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Abstract.php:129
Stack trace:
#0 /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:host=loca...', 'a_database', 'secure-password', Array)
#1 /opt/ZendFramework-1.10.8/library/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-05-05 15:15 UTC] tyrael@php.net
you shouldn't enable display_errors in production so this shouldn't have any security impact on your site (and secondly, an attacker shouldn't be able to use those credentials to connect to your database from remotely, but that is not in the scope of this question), but hiding the password by default would be a PITA for those people who are using the error reporting to track down problems like a configuration error, where the connaction fails, because for some reason a wrong password is used.
I'm not closing the issue, because I'm curious what other devs think, but imo it would be a futile attempt to protect people this way.
 [2014-05-05 19:07 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2014-05-05 19:07 UTC] aharvey@php.net
I don't think this is worth the complexity, personally: you'd basically need a generic way to mark arguments as "secure", update extensions to use them, and then update extensions that reimplement stack dumping to honour that.

Seems like a lot of extra work for something that best practice has covered for years: don't show your error messages to users.
 [2014-05-08 10:25 UTC] sk at computer-leipzig dot com
Sorry, but it would be also good practice for years to have a separate connect method without or with optional arguments. This would be another way to solve this issue. You are right it is good practice, to hide error messages. But not everyone does. The errors are gone to log files, which are maybe part of a backup which is lost somewhere and found by a malicious person. Or think of a cron job which sends the password to the administrator. But can we ensure every smtp host travelled by the message is secure? It opens a way to retrieve sensitive data, which then often can be easily used via phpmyadmin or in other ways.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Jul 22 00:01:36 2017 UTC