php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76970 Password shown in Stacktrace
Submitted: 2018-10-04 13:22 UTC Modified: 2018-10-04 14:59 UTC
From: edv at aulenbacher dot de Assigned: cmb (profile)
Status: Not a bug Package: Scripting Engine problem
PHP Version: 7.2.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2018-10-04 13:22 UTC] edv at aulenbacher dot de 
Description:
------------
When printing a stacktrace of a failed attempt to connect to a database, the password passed to PDO-constructor is shown clearly.

Test script:
---------------
Connect via PDO to a database with a wrong password, catch that exception and do
file_put_contents('php://stderr', $e);



Expected result:
----------------
Password is not printed out readable.

Actual result:
--------------
Password is printed out readable.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-04 13:24 UTC] spam2 at rhsoft dot net 
this is *not* a bug

you are not supposed to run production servers with display_errors nor should you echo out traces at all
 [2018-10-04 13:28 UTC] edv at aulenbacher dot de 
addendum: The following constructor was used:
public PDO::__construct ( string $dsn, string $username, string $passwd)
 [2018-10-04 13:29 UTC] spam2 at rhsoft dot net 
irrelevant - php stacktraces are supposed to show the params and you must not echo out debug informations to the client
 [2018-10-04 13:34 UTC] spam2 at rhsoft dot net 
since your adrdress ends with .de
https://www.golem.de/news/it-sicherheit-wie-ich-mein-passwort-im-stack-trace-fand-1704-127258.html

"warum es in PHP zu einfach ist, derartige Fehler zu produzieren" is simply nonsense 

the following paragraph show the incompetence of the author in that context because you don't need to enable display_errors to realize when things are going wrong - just set error_reporting to E_ALL, disable dispaly_errors, configure error_log and write a crnjob mailing you anything which appears there every 30 minites as we do in prudction for a decade now on some hundret webspaces

Display-Errors war bewusst aktiv
Es war kein Versehen, dass display_errors aktiviert war. Ich hatte mich vor längerer Zeit bewusst dafür entschieden. Ursprünglich war die Option auf dem entsprechenden Server global deaktiviert. Ich hatte allerdings bei einem Test einer neueren PHP-Version vor einiger Zeit gemerkt, dass mehrere meiner PHP-Skripte Fehler enthielten, die durch das Abschalten der display_errors-Option unbemerkt blieben. Um das zu verhindern, hielt ich es für sinnvoller, die Anzeigen von Fehlermeldungen standardmäßig zu aktivieren. Im Rückblick war das keine gute Idee.
 [2018-10-04 14:59 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: PDO Core +Package: Scripting Engine problem -Assigned To: +Assigned To: cmb
 [2018-10-04 14:59 UTC] cmb@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Especially, read <http://php.net/manual/en/security.errors.php>.

(Nice article, Harald. Thanks.)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 12:01:31 2024 UTC