Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105888 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 81825 invoked from network); 13 Jun 2019 10:42:57 -0000 Received: from unknown (HELO hos109.unaxus.net) (195.191.240.18) by pb1.pair.com with SMTP; 13 Jun 2019 10:42:57 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=heigl.org; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=fYtDVUfk1Tgz/DzQ7w4hHDIwqPMB0ctgLVbPs6fgO0E=; b=Nk1q/880DJzsNqxL4kllMsv6F/ 7MjlCzy7WOxqTMc6AwiPrFawwn5Hu5gUf9jodZBTHzgY62pS/5rsR/ITSI3VNAtg1XnM3gEUmNtmN 82VspR1GLbWYhCumObcBFCxqLK1F0Oj88WxF51R84dS6qLscR5Lj+WuGi8N3yhy0CU+Os/z8CA85P 2r/sYhe78/2wBIXiwcPwstXBAe+DoqNdfglDIZp6mVBnhX3Oe0+Jzq1gHBtivYN4WEBDKK6ofoCki BlYyr6eOCOD7Zow6zZtn4DrF676zeZwcsszIrTe9AdC4vsy21TPEUNL8r0L+Dr5aJBGJF915aLI0s LhFtZEFA==; Received: from ma.bitexpert.net ([82.119.168.218]:30494 helo=[192.168.13.3]) by hos109.unaxus.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1hbKaX-007spV-Nk for internals@lists.php.net; Thu, 13 Jun 2019 09:56:01 +0200 To: internals@lists.php.net References: Openpgp: preference=signencrypt Autocrypt: addr=andreas@heigl.org; keydata= xsFNBFzEA7MBEACpvo0AbmZG6lUGMvDUebQcYVjOPrdqtnlb2WoZH9FrJyHyenzejO29VCju ekdhu44sUNgEHXxExUekguLDGZOzC9926g2rGDWO3MU1oqRlKURnOWsp/i0d9WM07ihj/lL6 smT9YLeagtPCJporUiFW8JyIusBWWhlL8hp8ZDvEfmvi06xDXML3wXzH/KWmoew3LgdwCZPk QSIWemUDPZKcUL8eeVkhYIJA9VKQnGSx36p5T7Ch/l+iqiPlyY1GUNItX9AQjpr07V0kIjyK +yHn6Aw1uy1xWrLn7ATDX8YuMvaz72+c/P2zQReMWoZNfggd2FHOPRUHvHcC9C91PuzJh8e9 hvtU/szDrPvvCVpg5aRymN/YPFJBSEqZfDelhD+8A1TJNPqSyzc21Qdd61636ynryawIW+Hx FT/UN1eA7V5/fdjeRyNUJd7B99Vo5A/lI25bIpg6cPLOLpVPFHEpNlGPQ8pcMRwnjG9GR74P TfH7Dy8Ksq8lpygPljJInZbz0870cHlM5XSdIPTXWQFfJi0e2kfaLCEni/Vih+eL0e5F7X3R taXY0HRFYHX8dY7ojf3sZJjdPVm3AQXY1yNkjnRxyJ/4gIwdFwYplU6lRBL92jdDLavPWVK4 Dsil/woKmsCpxClWfU/MzmQlhbdH+x8V2SYOa4aJWiixx59DxQARAQABzSFBbmRyZWFzIEhl aWdsIDxhbmRyZWFzQGhlaWdsLm9yZz7CwY4EEwEKADgWIQRZ7tBmhrXNAHaUcA2o1UN+znJP 5QUCXMQDswIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCo1UN+znJP5clsD/4vnmCp 5oVIXdNXkK3PNajHR1ddpr2+Ake+bo6TS801MSd638f2Ug/eQmu6j0XuHbgJql9wnoDh0Oq4 7bPxGTszPbbhD0FL1s6YBDqJKcz2okbmYRutumC52u4h8dGxbVjCM9le1rckK54aDjkzL27i GRNfQLw1vg9gdl1yRz866bZ75MItk/7BewJrodQ5zweNcDVOmYsePLpo13peB1mzDP/tuBH4 CpoeDtAb/+Rc5Qv/J6P7iMDC4fPbFIl5//Ge7blMV98seXOAYMCvDYmLcJFbnESBla/8te8l KE2E1PjwnIeMvDfYHn17CYd2UqnmlQbJbN30/Y2eiPT9w7wjrgc+qGRWEU+huGMlrDXQmmAt HPADf08QwOWpDVoZ+WFsQEB3f2fsZtfOnxXv8yb+Q16kVcPWaRyvusT5KLT39h2VvZlhH8up orNimjs7+Rl8Fs7PP6n2L+OCnI1sSCTixBQT4MDNM6IVxqhy5j8M9ig3vR7czJgVVsDmKCFi gOibvIFgxfRH2A7JjyplO034eUw7I3IJdffuBWjZ8SCfwZ3sS67UaPy01UVovSQKikEJBfAD Ecl4X25YsHvHXCksYLoZHb6wvtFzUrjxXwipwzlWtNBR2gTB2lCfeCLcwYcHdN8qcgg+emxD kBHeL/Mlw5OLGW86dy6ha3BJDQgdL87BTQRcxAW4ARAAqP1yIU7DTFTNVyyNqsylliyCCGDf 7k3KLpodAHoffLGlmI4OvB/379gmYRdAmeyV3FtxKgo1sy5x4hl0zLpmMApub4MYnNbh00ur b/e4TTzQPNLyihYLP6H2DODLc0FnS8P3O5cxeqqJoW6/cKCm2IMEZ6fKodgvOGh+vjkL+iNb dn1hO6oaCzK0odhIisXqIF5Mjais5UYmwVDrI7q014PlCbezRJ66f6oJtZvc4QJDKGnRbOW0 ThG9uKme3g4o9R5qzOplG+DpC9j5w85FASdgLeaLafrlAiawE0trQM9Dhjbt4oyT/ePmNXdz beowuaQCONGXMUlzDKyxQE1yYjWC2g/2OraS4F2i0BdZK4Lb3BlZMSfP3yVaylXJhfAn52m/ q2zQyMSwMFk/naK9gcA4EaESOOXMhlwe2B7LXZPZAVGan39QazGSxhJqfjOsRNsBT1mp+JA9 qCIeQdeAilDGAfggZjJSYZCMwZdhrztx71cssApNhKLq0cYw6HGccmoxP38BbgCuXprhSq7n DJrJ8c2TDCXZKCZp6M7AUvTo/XvGIkfsgDA3sceNedhukjgkfSUsZxVATxCjoGmyDy2N3kH5 9JwXYf5q/4ikoPuc4927G71Hrb0RXU21ExZ6rLC+290OcnWi90Oj4wjvxXtG5iyl52NgM2PH pm98XP8AEQEAAcLBdgQYAQoAIBYhBFnu0GaGtc0AdpRwDajVQ37Ock/lBQJcxAW4AhsMAAoJ EKjVQ37Ock/ly/cP/1SSqtqsRsUtSBkmmqMHJ3okcfPGXwU85LWpIW6l4Z1hcD/b7k2h3Es0 aMBSFc3mueZP+ZkHirk0xLe5NGG9vZcKE/oqotdlf+9xASGlCviU+WT9vG50F5JKqqUc3K6O JQ84uYHmpreyjLFg5mKgh8l1NsV3gC56ny79Y37CSTHqA8y5fKpedKptc/rveFTl3/eHZapl fb+kFqMcMNpNsTVgQHlA9mM1FwGZ3KV2witTCERQR5m4OBwGqZqRVHsD37DuD6VBCahtSAOq 5fXLGZ3PewbwgoWukmTL1xqxCIv2ozXw9JlNqdyMuRdVFzcfciZTM4kL6lM4gOzElqJU9mWK /7p0q3JF1Ie5QMBOLavEYYV2dnIy/ubm5P8RhQScnJ/mCqE+YJmfoMBq5bjdFSRaIH6WNkSW xfI/FW1EfrxisZbrIMngu7hBQKFbCFCRUN0Gj7RppyGYD9yks+x7GZAMIlxyeT+sKR9wljLu CWjkJTjKNDT8UWTr7XwJHQ2/ouI3fmI77iZCZbq9aesobv9NnBO/waAzjYAEx2ahZmM7m1rQ lPS636tUZ1QVZx/4SzNiMTBsgWLDQ0VtxcEmYe54+r8Y4o0vSrMcDYgBczZe/ASpSJB4AI1l Q3o3s5p3AeYsYPBtBsysSAbd0uZ65EDc9xwSRLiMJj+x8jGy2xtu Message-ID: Date: Thu, 13 Jun 2019 09:55:58 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Z2NiKrqdm9GKSNVxGpOe9Ux2xL1f4Sbi0" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hos109.unaxus.net X-AntiAbuse: Original Domain - lists.php.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - heigl.org X-Get-Message-Sender-Via: hos109.unaxus.net: authenticated_id: a.heigl@heigl.org X-Authenticated-Sender: hos109.unaxus.net: a.heigl@heigl.org Subject: Re: [PHP-DEV] The real world ... From: andreas@heigl.org (Andreas Heigl) --Z2NiKrqdm9GKSNVxGpOe9Ux2xL1f4Sbi0 Content-Type: multipart/mixed; boundary="0tQ6nb4aPV1UMbA65OvyyPj79BhKrACoi"; protected-headers="v1" From: Andreas Heigl To: internals@lists.php.net Message-ID: Subject: Re: [PHP-DEV] The real world ... References: In-Reply-To: --0tQ6nb4aPV1UMbA65OvyyPj79BhKrACoi Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Hey All Am 13.06.19 um 09:41 schrieb Nikita Popov: > On Thu, Jun 13, 2019 at 9:35 AM Lester Caine wrote: >=20 >> Seen in the wild ... company name sanitised >> >> Warning: mysqli::mysqli(): (HY000/2002): No such file or directory in >> /home/888/public_html/system/library/db/mysqli.php on line 7 >> >> Fatal error: Uncaught exception 'Exception' with message 'Error:
> />Error No: ' in /home/888/public_html/system/library/db/mysqli.php:10= >> Stack trace: #0 >> /home/888/public_html/system/nitro/core/nitro_db.php(29): >> DB\MySQLi->__construct('localhost', '888_4y65f5...', >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #1 >> /home/888/public_html/system/nitro/core/nitro_db.php(13): >> NitroDb->__construct('mysqli', 'localhost', '888_4y65f5...', >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #2 >> /home/888/public_html/system/storage/modification/system/library/db.ph= p(11): >> >> NitroDb::getInstanceWithParams('mysqli', 'localhost', '888_4y65f5...',= >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #3 >> /home/888/public_html/system/framework.php(36): >> DB->__construct('mysqli', 'localhost', '888_4y65f5...', >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #4 >> /home/888/public_html/vqmod/vqcache/vq2-system_startup.php(124): >> require_once('/home/888 in >> /home/888/public_html/system/library/db/mysqli.php on line 10 >> =E4=BD=A0=E7=9A=84=E4=BB=A3=E7=A0=81=E5=87=BA=E9=94=99=E4=BA=86=EF=BC=9A= >> >> I presume something has been updated that they have not been aware of >> since it's library file that triggered the warning ... but it's not th= e >> first time in recent years I've seen this sort of information on >> commercial sites and while my own clients just get white screens, thos= e >> are created by the likes of Wordpress when 'automatic updates' happen.= >> >> Many years ago the response was "well don't update", but 'current >> practice' takes that out of OUR hands! So isn't it time that the >> triggering exceptions like this did produce a more user secure respons= e >> to protect against leaks like this and provide a better alternative th= an >> a white screen? >> >> In the case of this live site, I actually placed an order as it was on= ly >> some links that triggered the fault, which may explain why they were n= ot >> even aware there was a problem :( From the 'development' side, NitroDb= -> >> should obviously be handling the problem anyway. >> >=20 > display_errors=3DOff in production. >=20 While that makes absolute sense perhaps thinking whether there is a way to mark password-parameters in core-functions and hide them in Stack-traces might improve security as that would also hide user-provided credentials in log-files. That would not target userland methods/functions. Though having a Core-Value-object for credentials might even allow *that* Just my 0.02 =E2=82=AC Cheers Andreas --=20 ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andreas@heigl.org N 50=C2=B022'59.5" E 08=C2=B0= 23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+ --0tQ6nb4aPV1UMbA65OvyyPj79BhKrACoi-- --Z2NiKrqdm9GKSNVxGpOe9Ux2xL1f4Sbi0 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOHo7et0VdZk8RJK34Ff+SCK3tkUFAl0CAY4ACgkQ4Ff+SCK3 tkUCMxAAhwNnX0Fy/lXm7xbLBtGFhAC5PGPp/4YBINjQOBnVNXO0v1l2k0Zi6K2K 3BFjpMk6hijdGkCG5D1DZulim7I3jYuT588PVfq6JuPhu3sFBOE7lquSOzhOb0+I RaOv7BRJ/AUkCeVsz9PbwxdMmensKtfoMzGIEI7UtBELT0vjiWkIPxVQocqqIE3j C/PHS2iPRzVvanJ1iPYCEQMdKlIFPscjR95wReuLt2hoq7IlwzCASroIy6ANZRtU /y3zVACkPuJZaMMXPZU4d8/YtfL2u0elX0zNsRgenTlv9jB3Y16lvflh0FmLVoYc xT6mAM55St/ahKYCA5l5u9ompXo+W5fI6YM4TVXnhExk0aQTkKcd+ifchZvZy5GP W0XEQjSfH9LHL+IoK6fTe6Z7NtKZ9w17V8H2o4kSVnfilRpZXbLh9XpkZqXDBBxO NZjRYSiDLBUlgVasTqg006srJHShjBS+/5n1CHGfFWXRAJHiz+xGKYKY1WOH3y+f U2Ma9fq8sfyk2z3H7oMyMRkBNV+A0PGs2d2zcX0JdaM9+XdplmQK9hxFxNUWaSap piq+JaLpwTBkyUPE5EjOwqGBq5lWjS8Cv3XNyC6hon1nqkV64iECxqC17HM0hIua GN71vqri8obYK2RspjqTcnLK8nP0ZZvB3DhkV38Gbv/5T9ql5xs= =skSB -----END PGP SIGNATURE----- --Z2NiKrqdm9GKSNVxGpOe9Ux2xL1f4Sbi0--