Closed Bug 239590 Opened 20 years ago Closed 20 years ago

DBI->connect() failure reveals database password in browser

Categories

(Bugzilla :: Bugzilla-General, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 227191

People

(Reporter: weiss, Assigned: justdave)

Details

User-Agent:       Mozilla/5.0 (compatible; Konqueror/3; Linux; en_US, de)
Build Identifier: 

When Bugzilla cannot connect to the database (not running, permission    
troubles), the error message including the DB password is displayed in the    
browser. I don't know if 'CGI::Carp qw(fatalsToBrowser)' is enabled in all 
Bugzilla versions, or only in the development branches; if it isn't, the 
stable builds are probably okay - I have only been testing with version 
2.17.7. 
Probably the best place to fix this would be in Bugzilla::DB::_handle_error. 

Reproducible: Always
Steps to Reproduce:
1. Turn off mysql daemon 
2. Call index.cgi 



This is the output produced by Carp::longmess(): 
 
Software error: 
 
DBI connect('host=localhost;database=bugs;port=3306','bugs',...) failed: Can't  
connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)  
at /usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 592  
        DBI::__ANON__('undef','undef') called at  
/usr/lib/perl5/site_perl/5.8.0/i586-linux-thread-multi/DBI.pm line 643  
         
DBI::connect('DBI','DBI:mysql:host=localhost;database=bugs;port=3306','bugs','THEPASSWORD','HASH(0x86ce790)')  
called at Bugzilla/DB.pm line 150  
         
Bugzilla::DB::_connect('DBI:mysql:host=localhost;database=bugs;port=3306')  
called at Bugzilla/DB.pm line 142  
        Bugzilla::DB::connect_main() called at Bugzilla.pm line 123  
        Bugzilla::dbh('Bugzilla') called at Bugzilla/Auth/Cookie.pm line 66  
        Bugzilla::Auth::Cookie::authenticate('Bugzilla::Auth::Cookie',1,1)  
called at Bugzilla/Auth/CGI.pm line 108  
        Bugzilla::Auth::CGI::login('Bugzilla::Auth::CGI',0) called at  
Bugzilla.pm line 74

*** This bug has been marked as a duplicate of 227191 ***
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.