Closed Bug 239590 Opened 22 years ago Closed 22 years ago

DBI->connect() failure reveals database password in browser

Categories

(Bugzilla :: Bugzilla-General, defect)

Product:
Bugzilla
Component:
Bugzilla-General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 227191

People

(Reporter: weiss, Assigned: justdave)

Details

User-Agent: Mozilla/5.0 (compatible; Konqueror/3; Linux; en_US, de) Build Identifier: When Bugzilla cannot connect to the database (not running, permission troubles), the error message including the DB password is displayed in the browser. I don't know if 'CGI::Carp qw(fatalsToBrowser)' is enabled in all Bugzilla versions, or only in the development branches; if it isn't, the stable builds are probably okay - I have only been testing with version 2.17.7. Probably the best place to fix this would be in Bugzilla::DB::_handle_error. Reproducible: Always Steps to Reproduce: 1. Turn off mysql daemon 2. Call index.cgi This is the output produced by Carp::longmess(): Software error: DBI connect('host=localhost;database=bugs;port=3306','bugs',...) failed: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) at /usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 592 DBI::__ANON__('undef','undef') called at /usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 643 DBI::connect('DBI','DBI:mysql:host=localhost;database=bugs;port=3306','bugs','THEPASSWORD','HASH(0x86ce790)') called at Bugzilla/DB.pm line 150 Bugzilla::DB::_connect('DBI:mysql:host=localhost;database=bugs;port=3306') called at Bugzilla/DB.pm line 142 Bugzilla::DB::connect_main() called at Bugzilla.pm line 123 Bugzilla::dbh('Bugzilla') called at Bugzilla/Auth/Cookie.pm line 66 Bugzilla::Auth::Cookie::authenticate('Bugzilla::Auth::Cookie',1,1) called at Bugzilla/Auth/CGI.pm line 108 Bugzilla::Auth::CGI::login('Bugzilla::Auth::CGI',0) called at Bugzilla.pm line 74
*** This bug has been marked as a duplicate of 227191 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.