[geeklog-cvs] Geeklog-1.x/public_html lib-common.php, 1.726, 1.727 siteconfig.php.dist, 1.17, 1.18
Michael Jervis
mjervis at qs1489.pair.com
Tue Sep 2 15:08:58 EDT 2008
Update of /cvsroot/geeklog/Geeklog-1.x/public_html
In directory qs1489.pair.com:/tmp/cvs-serv85721/public_html
Modified Files:
lib-common.php siteconfig.php.dist
Log Message:
Hide passwords with rootdebug on [1]. (Bug 0000722)
[1] - What part of rootdebug was hard to understand?
Index: siteconfig.php.dist
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/siteconfig.php.dist,v
retrieving revision 1.17
retrieving revision 1.18
diff -C2 -d -r1.17 -r1.18
*** siteconfig.php.dist 1 Jul 2008 20:27:35 -0000 1.17
--- siteconfig.php.dist 2 Sep 2008 19:08:56 -0000 1.18
***************
*** 20,24 ****
// If you have errors on your site, can't login, or can't get to the
// config UI, then you can comment this in to set the root debug option
! // on and get detailed error messages:
// $_CONF['rootdebug'] = true;
--- 20,26 ----
// If you have errors on your site, can't login, or can't get to the
// config UI, then you can comment this in to set the root debug option
! // on and get detailed error messages. You can set this to 'force' (which the
! // Config UI won't allow you to do, to override hiding of password and cookie
! // items in the debug trace.
// $_CONF['rootdebug'] = true;
Index: lib-common.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/lib-common.php,v
retrieving revision 1.726
retrieving revision 1.727
diff -C2 -d -r1.726 -r1.727
*** lib-common.php 1 Sep 2008 09:21:04 -0000 1.726
--- lib-common.php 2 Sep 2008 19:08:56 -0000 1.727
***************
*** 6551,6565 ****
if($_CONF['rootdebug'] || SEC_inGroup('Root'))
{
! echo("
! An error has occurred:<br>
! $errno - $errstr @ $errfile line $errline<br>
! <pre>");
ob_start();
var_dump($errcontext);
$errcontext = htmlspecialchars(ob_get_contents());
ob_end_clean();
! echo("$errcontext</pre>
! (This text is only displayed to users in the group 'Root')
! ");
exit;
}
--- 6551,6580 ----
if($_CONF['rootdebug'] || SEC_inGroup('Root'))
{
! echo('<h1>An error has occurred:</h1>');
! if($_CONF['rootdebug']) {
! echo('<h2 style="color: red">This is being displayed as "Root Debugging" is enabled
! in your Geeklog configuration.</h2><p>If this is a production
! website you <strong><em>must disable</em></strong> this
! option once you have resolved any issues you are
! investigating.</p>');
! } else {
! echo('(This text is only displayed to users in the group \'Root\')<br>');
! }
! echo("$errno - $errstr @ $errfile line $errline<br>");
! if(!SEC_inGroup('Root')) {
! if('force' != ''.$_CONF['rootdebug']) {
! $errcontext = COM_rootDebugClean($errcontext);
! } else {
! echo('<h2 style="color: red">Root Debug is set to "force", this
! means that passwords and session cookies are exposed in this
! message!!!</h2>');
! }
! }
! echo('<pre>');
ob_start();
var_dump($errcontext);
$errcontext = htmlspecialchars(ob_get_contents());
ob_end_clean();
! echo("$errcontext</pre>");
exit;
}
***************
*** 6617,6620 ****
--- 6632,6666 ----
/**
+ * Recurse through the error context array removing/blanking password/cookie
+ * values in case the "for development" only switch is left on in a production
+ * environment.
+ *
+ * [Not fit for public consumption comments about what users who enable root
+ * debug in production should have done to them, and why making this change
+ * defeats the point of the entire root debug feature go here.]
+ *
+ * @param $array Array of state info (Recursive array).
+ * @return Cleaned array
+ */
+ function COM_rootDebugClean($array, $blank=false)
+ {
+ $blankField = false;
+ while(list($key, $value) = each($array)) {
+ $lkey = strtolower($key);
+ if((strpos($lkey, 'pass') !== false) || (strpos($lkey, 'cookie')!== false)) {
+ $blankField = true;
+ } else {
+ $blankField = $blank;
+ }
+ if(is_array($value)) {
+ $array[$key] = COM_rootDebugClean($value, $blankField);
+ } elseif($blankField) {
+ $array[$key] = '[VALUE REMOVED]';
+ }
+ }
+ return $array;
+ }
+
+ /**
* Checks to see if a specified user, or the current user if non-specified
* is the anonymous user.
More information about the geeklog-cvs
mailing list