Page MenuHomePhabricator

API ignores $wgShowSQLErrors
Closed, ResolvedPublic


Proposed patch

Revealing SQL query in cases of error poses security threat.

Version: unspecified
Severity: major

attachment HideQuery.patch ignored as obsolete



Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:12 PM
bzimport set Reference to bz14678.

Couple of quick comments:

First, the API code is also ignoring $wgShowExceptionDetails here (also set to false by default). The backtrace includes chunks of parameter strings and other info which can reveal part or all of the query, so I'd recommend making sure it checks both of these settings and follows them.

Second, a minor quibble -- is_a() is deprecated in PHP 5; use the instanceof operator instead in new code.

Otherwise looks good -- let's get the other setting patched in there and it's good to go!

Created attachment 5034
$wgShowExceptionDetails too


Modified patch applied in r36775.