Closed
Bug 561322
Opened 14 years ago
Closed 14 years ago
Bugzilla reveals database password on error
Categories
(Bugzilla :: Database, defect)
Bugzilla
Database
Tracking
()
RESOLVED
FIXED
Bugzilla 4.0
People
(Reporter: s.marechal, Assigned: mkanat)
Details
Attachments
(1 file)
5.62 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Build Identifier: I recently upgraded my server from Debian Lenny to Debian Squeeze and promptly suffered from bug #480001. The problem is that the error message that the bug in question generates, discloses the database username and password. Here's the error message that bug #480001 generated: DBD::mysql::db do failed: SESSION variable 'max_allowed_packet' is read-only. Use SET GLOBAL to assign the value [for Statement "SET SESSION max_allowed_packet = 16777216"] at Bugzilla/DB/Mysql.pm line 113 Bugzilla::DB::Mysql::new('Bugzilla::DB::Mysql', 'bugzilla', 'MY_DATABASE_PASSWORD', 'localhost', 'bugzilla', 0, '') called at Bugzilla/DB.pm line 111 Bugzilla::DB::_connect('mysql', 'localhost', 'bugzilla', 0, '', 'bugzilla', 'MY_DATABASE_PASSWORD') called at Bugzilla/DB.pm line 96 Bugzilla::DB::connect_main() called at Bugzilla.pm line 317 Bugzilla::dbh('Bugzilla') called at Bugzilla/Auth.pm line 58 Bugzilla::Auth::login('Bugzilla::Auth=HASH(0x35a2bd0)', 0) called at Bugzilla.pm line 236 Bugzilla::login('Bugzilla', 0) called at /usr/local/bugzilla/index.cgi line 40 Reproducible: Always Steps to Reproduce: 1. Reproduce bug #480001 (or generate some other database problem) 2. Watch the error Actual Results: The database password is revealed Expected Results: The database password should be hidden, or X'ed out.
Comment 1•14 years ago
|
||
It displays the error about SET SESSION because you use an old version of Bugzilla. This problem has been fixed in Bugzilla 3.2.3. You should upgrade to 3.2.6 or a newer branch.
Group: bugzilla-security
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•14 years ago
|
||
I already upgraded. This bug report is not about SET SESSION. It's about the backtrace showing the database password. What happens if something else goes wrong with my database? Another backtrace that exposes my password. Please reopen this bug. Exposing the password is a security risk and it needs to be fixed.
Assignee | ||
Comment 3•14 years ago
|
||
I agree with the reporter that this issue should be fixed.
Status: RESOLVED → UNCONFIRMED
OS: Linux → All
Hardware: x86 → All
Resolution: DUPLICATE → ---
Target Milestone: --- → Bugzilla 3.8
Assignee | ||
Comment 4•14 years ago
|
||
Okay, this changes all the DB code to pass stuff around as a hashref. I used the names of parameters from localconfig, which also simplifies the code a bit.
Assignee: database → mkanat
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #441065 -
Flags: review+
Assignee | ||
Comment 5•14 years ago
|
||
Mockodin: This change will affect the MS-SQL driver.
Assignee | ||
Updated•14 years ago
|
Flags: approval+
Assignee | ||
Comment 6•14 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified Bugzilla/DB.pm modified Bugzilla/DB/Mysql.pm modified Bugzilla/DB/Oracle.pm modified Bugzilla/DB/Pg.pm Committed revision 7144.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•