Page MenuHomePhabricator
Create Task
Maniphest T3477

Ability to hide MySQL Errors
Closed, ResolvedPublic
Actions

Description

Author: paul

Description:
I have searched both the closed and open bug reports for "hide mysql errors" and
could not find a solution. As this is my first time using MediaWiki (and
checking Docs & Google for the answer), there ought to be an option to disable,
or hide MySQL errors from displaying.

Running MediaWiki on a production server having mysql errors displayed can
create security risks. Bug #1057 is an example of this. If there is an option
somewhere I'd be highly appreciative if you can guide me there. Otherwise, I'd
like to request this as a feature as soon as possible.

Thanks everyone. I'll start pouring over the code in the meantime to see if I
can find something.

http://castlecops.com

Version: 1.4.x
Severity: critical
OS: Linux
Platform: PC

Details

Reference
bz1477
TitleReferenceAuthorSource BranchDest Branch
Add deprecation notice to all DSG pages (#521)repos/sre/miscweb/design-style-guide!2jeltodeprecation-notice-cherry-pickmaster
Update Timestamp to v4.1.1repos/data-engineering/metrics-platform!8arlolratimemain
Programatic declaration of Airflow Pools. Single slot pool for MERGEs into wmf_dumps.wikitext_rawrepos/data-engineering/airflow-dags!508xcollazoadd-pool-def-to-dumps-dagsmain
Customize query in GitLab

Event Timeline

bzimport raised the priority of this task from to High.Nov 21 2014, 8:11 PM
bzimport added a project: MediaWiki-General.
bzimport set Reference to bz1477.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Feb 6 2005, 4:13 AM
brooke added a comment.Feb 6 2005, 4:37 AM

Note that because the software is open source, an attacker can find
potential SQL injection problems without access to _your_ installation
simply by re-enabling the error display on their local installation. Thus
the benefits from obscuration of errors is going to be relatively limited.

Probably the simplest way to hide the errors would be to edit the
OutputPage::databaseError() function in includes/OutputPage.php. You
could prune out the message reporting (not including detailed error
information) or even just have it die out with a 500 Internal Server Error.

bzimport added a comment.Feb 6 2005, 4:47 AM

paul wrote:

(In reply to comment #1)

Note that because the software is open source, an attacker can find
potential SQL injection problems without access to _your_ installation
simply by re-enabling the error display on their local installation. Thus
the benefits from obscuration of errors is going to be relatively limited.

You're right, which is precisely why additional security measures have been
taken in the server installation. However, obscuring the errors do help to
prevent from displaying table names. Many (but not all) SQL Injection
techniques rely on knowing table names. Why provide the mechanism on a
production site to show the backend?

Probably the simplest way to hide the errors would be to edit the
OutputPage::databaseError() function in includes/OutputPage.php. You
could prune out the message reporting (not including detailed error
information) or even just have it die out with a 500 Internal Server Error.

Thanks for the direct file path. On quick inspection, it looks like

print $msg."\n";

Is the line that requires modification, or at the least, disable showing the
error on a prod site. Development, I'd leave this in place.

Perhaps offering a special setting in LocalSettings.php defining a $debug value
which would show those errors as required.

I'll report back after some testing.

brooke added a comment.Feb 6 2005, 5:57 AM

Committed to REL1_4 and HEAD:
http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-February/006515.html

Set $wgShowSQLErrors = true to enable database error display, off by default.

bzimport added a comment.Feb 6 2005, 3:51 PM

paul wrote:

(In reply to comment #3)

http://mail.wikipedia.org/pipermail/mediawiki-cvs/2005-February/006515.html

Much obliged. Implemented and confirmed. Now "Internal Error" is displayed
instead. I may fire off a bugtraq FYI on this and direct folks back here.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits