Closed
Bug 239590
Opened 20 years ago
Closed 20 years ago
DBI->connect() failure reveals database password in browser
Categories
(Bugzilla :: Bugzilla-General, defect)
Bugzilla
Bugzilla-General
Tracking
()
RESOLVED
DUPLICATE
of bug 227191
People
(Reporter: weiss, Assigned: justdave)
Details
User-Agent: Mozilla/5.0 (compatible; Konqueror/3; Linux; en_US, de) Build Identifier: When Bugzilla cannot connect to the database (not running, permission troubles), the error message including the DB password is displayed in the browser. I don't know if 'CGI::Carp qw(fatalsToBrowser)' is enabled in all Bugzilla versions, or only in the development branches; if it isn't, the stable builds are probably okay - I have only been testing with version 2.17.7. Probably the best place to fix this would be in Bugzilla::DB::_handle_error. Reproducible: Always Steps to Reproduce: 1. Turn off mysql daemon 2. Call index.cgi This is the output produced by Carp::longmess(): Software error: DBI connect('host=localhost;database=bugs;port=3306','bugs',...) failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) at /usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 592 DBI::__ANON__('undef','undef') called at /usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 643 DBI::connect('DBI','DBI:mysql:host=localhost;database=bugs;port=3306','bugs','THEPASSWORD','HASH(0x86ce790)') called at Bugzilla/DB.pm line 150 Bugzilla::DB::_connect('DBI:mysql:host=localhost;database=bugs;port=3306') called at Bugzilla/DB.pm line 142 Bugzilla::DB::connect_main() called at Bugzilla.pm line 123 Bugzilla::dbh('Bugzilla') called at Bugzilla/Auth/Cookie.pm line 66 Bugzilla::Auth::Cookie::authenticate('Bugzilla::Auth::Cookie',1,1) called at Bugzilla/Auth/CGI.pm line 108 Bugzilla::Auth::CGI::login('Bugzilla::Auth::CGI',0) called at Bugzilla.pm line 74
Comment 1•20 years ago
|
||
*** This bug has been marked as a duplicate of 227191 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Assignee | ||
Comment 2•20 years ago
|
||
Clearing the security flag on disclosed bugs
Group: webtools-security
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•