MediaWiki r16944 - Code Review

Jump to: navigation, search
Repository:MediaWiki
Revision:r16943‎ | r16944 (on ViewVC)‎ | r16945 >
Date:18:57, 11 October 2006
Author:brion
Status:old
Tags:
Comment:
* Disable PHP exception backtrace printing unless $wgShowExceptionDetails
is set. Backtraces may contain sensitive information in function call
parameters.
Modified paths:

Diff [purge]

Index: trunk/phase3/includes/DefaultSettings.php
===================================================================
--- trunk/phase3/includes/DefaultSettings.php	(revision 16943)
+++ trunk/phase3/includes/DefaultSettings.php	(revision 16944)
@@ -790,6 +790,14 @@
 $wgColorErrors          = true;
 
 /**
+ * If set to true, uncaught exceptions will print a complete stack trace
+ * to output. This should only be used for debugging, as it may reveal
+ * private information in function parameters due to PHP's backtrace
+ * formatting.
+ */
+$wgShowExceptionDetails = false;
+
+/**
  * disable experimental dmoz-like category browsing. Output things like:
  * Encyclopedia > Music > Style of Music > Jazz
  */
Index: trunk/phase3/includes/Exception.php
===================================================================
--- trunk/phase3/includes/Exception.php	(revision 16943)
+++ trunk/phase3/includes/Exception.php	(revision 16944)
@@ -20,16 +20,28 @@
 			return wfMsgReplaceArgs( $fallback, $args );
 		}
 	}
-			
+
 	function getHTML() {
-		return '<p>' . htmlspecialchars( $this->getMessage() ) . 
-			'</p><p>Backtrace:</p><p>' . nl2br( htmlspecialchars( $this->getTraceAsString() ) ) .
-			"</p>\n";
+		global $wgShowExceptionDetails;
+		if( $wgShowExceptionDetails ) {
+			return '<p>' . htmlspecialchars( $this->getMessage() ) . 
+				'</p><p>Backtrace:</p><p>' . nl2br( htmlspecialchars( $this->getTraceAsString() ) ) .
+				"</p>\n";
+		} else {
+			return "<p>Set <b><tt>\$wgShowExceptionDetails = true;</tt></b> " .
+				"in LocalSettings.php to show detailed debugging information.</p>";
+		}
 	}
 
 	function getText() {
-		return $this->getMessage() .
-			"\nBacktrace:\n" . $this->getTraceAsString() . "\n";
+		global $wgShowExceptionDetails;
+		if( $wgShowExceptionDetails ) {
+			return $this->getMessage() .
+				"\nBacktrace:\n" . $this->getTraceAsString() . "\n";
+		} else {
+			return "<p>Set <tt>\$wgShowExceptionDetails = true;</tt> " .
+				"in LocalSettings.php to show detailed debugging information.</p>";
+		}
 	}
 	
 	function getPageTitle() {
Index: trunk/phase3/RELEASE-NOTES
===================================================================
--- trunk/phase3/RELEASE-NOTES	(revision 16943)
+++ trunk/phase3/RELEASE-NOTES	(revision 16944)
@@ -33,6 +33,9 @@
 * Fix PHP notice and estimates for dumpBackup.php and friends
 * Improved register_globals paranoia checks
 * (bug 7545) Fix PHP version check on install
+* Disable PHP exception backtrace printing unless $wgShowExceptionDetails
+  is set. Backtraces may contain sensitive information in function call
+  parameters.
 
 
 == Languages updated ==
Retrieved from "http://www.mediawiki.org/wiki/Special:Code/MediaWiki/16944"
Personal tools
Namespaces
Variants
Views
Actions
Site
Support
Download
Development
Communication
Toolbox