Page MenuHomePhabricator

Exceptions inside Exception ignore $wgShowExceptionDetails
Closed, ResolvedPublic

Description

Author: davidt

Description:
Display the backtrace only if the wgShowExceptionDetails flag is enabled.

When there's an exception inside an exception handler, (such as when the $name parameter to SkinTemplate::makeTalkUrlDetails() is passed as "User:"), the backtrace is printed to the screen in any case, wherever $wgShowExceptionDetails is enabled or not.

On production sites - this a security vulnerability, because it shows all the paths to the files on the servers.

Attached a patch that makes it print the backtrace only in the case that the wgShowExceptionDetails value is set.


Version: 1.13.x
Severity: normal
URL: http://wikicafe.metacafe.com

Attached:

Details

Reference
bz17506

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 21 2014, 10:30 PM
bzimport set Reference to bz17506.
bzimport added a subscriber: Unknown Object (MLST).

davidt wrote:

The bug was found and fixed by David Tabachnikov and Romi Romano from Metacafe.