Proposed patch
Revealing SQL query in cases of error poses security threat.
Version: unspecified
Severity: major
attachment HideQuery.patch ignored as obsolete
Proposed patch
Revealing SQL query in cases of error poses security threat.
Version: unspecified
Severity: major
attachment HideQuery.patch ignored as obsolete
Couple of quick comments:
First, the API code is also ignoring $wgShowExceptionDetails here (also set to false by default). The backtrace includes chunks of parameter strings and other info which can reveal part or all of the query, so I'd recommend making sure it checks both of these settings and follows them.
Second, a minor quibble -- is_a() is deprecated in PHP 5; use the instanceof operator instead in new code.
Otherwise looks good -- let's get the other setting patched in there and it's good to go!