[geeklog-cvs] Geeklog-1.x/public_html lib-common.php, 1.726, 1.727 siteconfig.php.dist, 1.17, 1.18

Michael Jervis mjervis at qs1489.pair.com
Tue Sep 2 15:08:58 EDT 2008 

Update of /cvsroot/geeklog/Geeklog-1.x/public_html
In directory qs1489.pair.com:/tmp/cvs-serv85721/public_html

Modified Files:
	lib-common.php siteconfig.php.dist 
Log Message:
Hide passwords with rootdebug on [1]. (Bug 0000722)

[1] - What part of rootdebug was hard to understand?

Index: siteconfig.php.dist
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/siteconfig.php.dist,v
retrieving revision 1.17
retrieving revision 1.18
diff -C2 -d -r1.17 -r1.18
*** siteconfig.php.dist	1 Jul 2008 20:27:35 -0000	1.17
--- siteconfig.php.dist	2 Sep 2008 19:08:56 -0000	1.18
***************
*** 20,24 ****
  // If you have errors on your site, can't login, or can't get to the
  // config UI, then you can comment this in to set the root debug option
! // on and get detailed error messages:
  // $_CONF['rootdebug'] = true;
  
--- 20,26 ----
  // If you have errors on your site, can't login, or can't get to the
  // config UI, then you can comment this in to set the root debug option
! // on and get detailed error messages. You can set this to 'force' (which the
! // Config UI won't allow you to do, to override hiding of password and cookie
! // items in the debug trace.
  // $_CONF['rootdebug'] = true;
  

Index: lib-common.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/public_html/lib-common.php,v
retrieving revision 1.726
retrieving revision 1.727
diff -C2 -d -r1.726 -r1.727
*** lib-common.php	1 Sep 2008 09:21:04 -0000	1.726
--- lib-common.php	2 Sep 2008 19:08:56 -0000	1.727
***************
*** 6551,6565 ****
          if($_CONF['rootdebug'] || SEC_inGroup('Root'))
          {
!             echo("
!                 An error has occurred:<br>
!                 $errno - $errstr @ $errfile line $errline<br>
!             <pre>");
              ob_start();
              var_dump($errcontext);
              $errcontext = htmlspecialchars(ob_get_contents());
              ob_end_clean();
!             echo("$errcontext</pre>
!             (This text is only displayed to users in the group 'Root')
!             ");
              exit;
          }
--- 6551,6580 ----
          if($_CONF['rootdebug'] || SEC_inGroup('Root'))
          {
!             echo('<h1>An error has occurred:</h1>');
!             if($_CONF['rootdebug']) {
!                 echo('<h2 style="color: red">This is being displayed as "Root Debugging" is enabled
!                         in your Geeklog configuration.</h2><p>If this is a production
!                         website you <strong><em>must disable</em></strong> this
!                         option once you have resolved any issues you are
!                         investigating.</p>');
!             } else {
!                 echo('(This text is only displayed to users in the group \'Root\')<br>');
!             }
!             echo("$errno - $errstr @ $errfile line $errline<br>");
!             if(!SEC_inGroup('Root')) {
!                 if('force' != ''.$_CONF['rootdebug']) {
!                     $errcontext = COM_rootDebugClean($errcontext);
!                 } else {
!                     echo('<h2 style="color: red">Root Debug is set to "force", this
!                     means that passwords and session cookies are exposed in this
!                     message!!!</h2>');
!                 }
!             }
!             echo('<pre>');
              ob_start();
              var_dump($errcontext);
              $errcontext = htmlspecialchars(ob_get_contents());
              ob_end_clean();
!             echo("$errcontext</pre>");
              exit;
          }
***************
*** 6617,6620 ****
--- 6632,6666 ----
  
  /**
+   * Recurse through the error context array removing/blanking password/cookie
+   * values in case the "for development" only switch is left on in a production
+   * environment.
+   *
+   * [Not fit for public consumption comments about what users who enable root
+   * debug in production should have done to them, and why making this change
+   * defeats the point of the entire root debug feature go here.]
+   *
+   * @param $array   Array of state info (Recursive array).
+   * @return Cleaned array
+   */
+ function COM_rootDebugClean($array, $blank=false)
+ {
+     $blankField = false;
+     while(list($key, $value) = each($array)) {
+         $lkey = strtolower($key);
+         if((strpos($lkey, 'pass') !== false) || (strpos($lkey, 'cookie')!== false)) {
+             $blankField = true;
+         } else {
+             $blankField = $blank;
+         }
+         if(is_array($value)) {
+             $array[$key] = COM_rootDebugClean($value, $blankField);
+         } elseif($blankField) {
+             $array[$key] = '[VALUE REMOVED]';
+         }
+     }
+     return $array;
+ }
+ 
+ /**
    * Checks to see if a specified user, or the current user if non-specified
    * is the anonymous user.

More information about the geeklog-cvs mailing list