Page MenuHomePhabricator
Create Task
Maniphest T237825

$wgShowExceptionDetails should be per default enabled
Closed, DeclinedPublic
Actions

Description

$wgShowExceptionDetails is configuration setting which shows more detailed output about error which happens.

Default value is false, so users are shown only an error message "Fatal exception of type MWException" with an alphanumeric code that a person with access to the server logs can use to find the stack trace.

I think to we should change default value to true, as usually we suggest users to do when report some problem, so always user can get detailed information about error.

Event Timeline

Kizule created this task.Nov 9 2019, 7:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 9 2019, 7:30 PM
MGChecker awarded a token.Nov 9 2019, 8:05 PM
MGChecker added a project: acl*security.
MGChecker subscribed.

This would probably a very large security threat, especially if we change the default vlaue now.

Reedy closed this task as Declined.Nov 9 2019, 8:19 PM
Reedy subscribed.

Yeah, I'm declining.

It should only be enabled by default for development wikis, or if the sysadmin knows what they're doing while debugging stuff

While at Wikimedia we don't see path disclosure as an issue (because the config is all public), it is definitely a concern for third party wikis

chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:11 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL