Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105904 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 79479 invoked from network); 13 Jun 2019 16:34:16 -0000 Received: from unknown (HELO hos109.unaxus.net) (195.191.240.18) by pb1.pair.com with SMTP; 13 Jun 2019 16:34:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=heigl.org; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From: References:To:Subject:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=VqoGIfe9oe659vqsxoj9YgWXFZfKYy3/TlrfH957XIE=; b=Mg7NdoBQvAWYASKBs/QjvWBqQ+ awVII4d9rMhaVBKrKnxJhdf7Ubd/HRM7g5Zq9byQ1oFu4LwEMkt66u01z2/mCVSR/EazCTYZ5Y3F+ aJ5IGz/1O5+toIfEaclI/NvlSwNi7zJwbhzcNeofKQt+DriI9NEQF9X4vuC3uIcZq6TtgJc7wKqSr 47jazsfzZrHXei/CMfq18zENLQa/Lhn/9HeBEPsVJrL/i3NEH3+dIoeIXjdKE8vRAqJILIppV2GfH KwWk6dhfBYhFYWwgilnrnz0qCeXtUzEU+YOWAGX16TCSB+mpFtyzCEYQodxuii7yQkF2x5Zi/YbYO Xv20AVsA==; Received: from ma.bitexpert.net ([82.119.168.218]:41360 helo=[192.168.13.3]) by hos109.unaxus.net with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from ) id 1hbQ4a-008fy6-JC for internals@lists.php.net; Thu, 13 Jun 2019 15:47:24 +0200 To: internals@lists.php.net References: Openpgp: preference=signencrypt Autocrypt: addr=andreas@heigl.org; keydata= xsFNBFzEA7MBEACpvo0AbmZG6lUGMvDUebQcYVjOPrdqtnlb2WoZH9FrJyHyenzejO29VCju ekdhu44sUNgEHXxExUekguLDGZOzC9926g2rGDWO3MU1oqRlKURnOWsp/i0d9WM07ihj/lL6 smT9YLeagtPCJporUiFW8JyIusBWWhlL8hp8ZDvEfmvi06xDXML3wXzH/KWmoew3LgdwCZPk QSIWemUDPZKcUL8eeVkhYIJA9VKQnGSx36p5T7Ch/l+iqiPlyY1GUNItX9AQjpr07V0kIjyK +yHn6Aw1uy1xWrLn7ATDX8YuMvaz72+c/P2zQReMWoZNfggd2FHOPRUHvHcC9C91PuzJh8e9 hvtU/szDrPvvCVpg5aRymN/YPFJBSEqZfDelhD+8A1TJNPqSyzc21Qdd61636ynryawIW+Hx FT/UN1eA7V5/fdjeRyNUJd7B99Vo5A/lI25bIpg6cPLOLpVPFHEpNlGPQ8pcMRwnjG9GR74P TfH7Dy8Ksq8lpygPljJInZbz0870cHlM5XSdIPTXWQFfJi0e2kfaLCEni/Vih+eL0e5F7X3R taXY0HRFYHX8dY7ojf3sZJjdPVm3AQXY1yNkjnRxyJ/4gIwdFwYplU6lRBL92jdDLavPWVK4 Dsil/woKmsCpxClWfU/MzmQlhbdH+x8V2SYOa4aJWiixx59DxQARAQABzSFBbmRyZWFzIEhl aWdsIDxhbmRyZWFzQGhlaWdsLm9yZz7CwY4EEwEKADgWIQRZ7tBmhrXNAHaUcA2o1UN+znJP 5QUCXMQDswIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCo1UN+znJP5clsD/4vnmCp 5oVIXdNXkK3PNajHR1ddpr2+Ake+bo6TS801MSd638f2Ug/eQmu6j0XuHbgJql9wnoDh0Oq4 7bPxGTszPbbhD0FL1s6YBDqJKcz2okbmYRutumC52u4h8dGxbVjCM9le1rckK54aDjkzL27i GRNfQLw1vg9gdl1yRz866bZ75MItk/7BewJrodQ5zweNcDVOmYsePLpo13peB1mzDP/tuBH4 CpoeDtAb/+Rc5Qv/J6P7iMDC4fPbFIl5//Ge7blMV98seXOAYMCvDYmLcJFbnESBla/8te8l KE2E1PjwnIeMvDfYHn17CYd2UqnmlQbJbN30/Y2eiPT9w7wjrgc+qGRWEU+huGMlrDXQmmAt HPADf08QwOWpDVoZ+WFsQEB3f2fsZtfOnxXv8yb+Q16kVcPWaRyvusT5KLT39h2VvZlhH8up orNimjs7+Rl8Fs7PP6n2L+OCnI1sSCTixBQT4MDNM6IVxqhy5j8M9ig3vR7czJgVVsDmKCFi gOibvIFgxfRH2A7JjyplO034eUw7I3IJdffuBWjZ8SCfwZ3sS67UaPy01UVovSQKikEJBfAD Ecl4X25YsHvHXCksYLoZHb6wvtFzUrjxXwipwzlWtNBR2gTB2lCfeCLcwYcHdN8qcgg+emxD kBHeL/Mlw5OLGW86dy6ha3BJDQgdL87BTQRcxAW4ARAAqP1yIU7DTFTNVyyNqsylliyCCGDf 7k3KLpodAHoffLGlmI4OvB/379gmYRdAmeyV3FtxKgo1sy5x4hl0zLpmMApub4MYnNbh00ur b/e4TTzQPNLyihYLP6H2DODLc0FnS8P3O5cxeqqJoW6/cKCm2IMEZ6fKodgvOGh+vjkL+iNb dn1hO6oaCzK0odhIisXqIF5Mjais5UYmwVDrI7q014PlCbezRJ66f6oJtZvc4QJDKGnRbOW0 ThG9uKme3g4o9R5qzOplG+DpC9j5w85FASdgLeaLafrlAiawE0trQM9Dhjbt4oyT/ePmNXdz beowuaQCONGXMUlzDKyxQE1yYjWC2g/2OraS4F2i0BdZK4Lb3BlZMSfP3yVaylXJhfAn52m/ q2zQyMSwMFk/naK9gcA4EaESOOXMhlwe2B7LXZPZAVGan39QazGSxhJqfjOsRNsBT1mp+JA9 qCIeQdeAilDGAfggZjJSYZCMwZdhrztx71cssApNhKLq0cYw6HGccmoxP38BbgCuXprhSq7n DJrJ8c2TDCXZKCZp6M7AUvTo/XvGIkfsgDA3sceNedhukjgkfSUsZxVATxCjoGmyDy2N3kH5 9JwXYf5q/4ikoPuc4927G71Hrb0RXU21ExZ6rLC+290OcnWi90Oj4wjvxXtG5iyl52NgM2PH pm98XP8AEQEAAcLBdgQYAQoAIBYhBFnu0GaGtc0AdpRwDajVQ37Ock/lBQJcxAW4AhsMAAoJ EKjVQ37Ock/ly/cP/1SSqtqsRsUtSBkmmqMHJ3okcfPGXwU85LWpIW6l4Z1hcD/b7k2h3Es0 aMBSFc3mueZP+ZkHirk0xLe5NGG9vZcKE/oqotdlf+9xASGlCviU+WT9vG50F5JKqqUc3K6O JQ84uYHmpreyjLFg5mKgh8l1NsV3gC56ny79Y37CSTHqA8y5fKpedKptc/rveFTl3/eHZapl fb+kFqMcMNpNsTVgQHlA9mM1FwGZ3KV2witTCERQR5m4OBwGqZqRVHsD37DuD6VBCahtSAOq 5fXLGZ3PewbwgoWukmTL1xqxCIv2ozXw9JlNqdyMuRdVFzcfciZTM4kL6lM4gOzElqJU9mWK /7p0q3JF1Ie5QMBOLavEYYV2dnIy/ubm5P8RhQScnJ/mCqE+YJmfoMBq5bjdFSRaIH6WNkSW xfI/FW1EfrxisZbrIMngu7hBQKFbCFCRUN0Gj7RppyGYD9yks+x7GZAMIlxyeT+sKR9wljLu CWjkJTjKNDT8UWTr7XwJHQ2/ouI3fmI77iZCZbq9aesobv9NnBO/waAzjYAEx2ahZmM7m1rQ lPS636tUZ1QVZx/4SzNiMTBsgWLDQ0VtxcEmYe54+r8Y4o0vSrMcDYgBczZe/ASpSJB4AI1l Q3o3s5p3AeYsYPBtBsysSAbd0uZ65EDc9xwSRLiMJj+x8jGy2xtu Message-ID: Date: Thu, 13 Jun 2019 15:47:21 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="999zTsfpnmmTtxlUIpX8zK5dbsN9ywFWU" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - hos109.unaxus.net X-AntiAbuse: Original Domain - lists.php.net X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - heigl.org X-Get-Message-Sender-Via: hos109.unaxus.net: authenticated_id: a.heigl@heigl.org X-Authenticated-Sender: hos109.unaxus.net: a.heigl@heigl.org Subject: Re: [PHP-DEV] The real world ... From: andreas@heigl.org (Andreas Heigl) --999zTsfpnmmTtxlUIpX8zK5dbsN9ywFWU Content-Type: multipart/mixed; boundary="PcttRdBajYVYoHZopOZvVRL8RGcrzzyqd"; protected-headers="v1" From: Andreas Heigl To: internals@lists.php.net Message-ID: Subject: Re: [PHP-DEV] The real world ... References: In-Reply-To: --PcttRdBajYVYoHZopOZvVRL8RGcrzzyqd Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable Am 13.06.19 um 15:30 schrieb Sjon Hortensius: > FWIW - hiding database passwords (when using PDO) would be possible whe= n > https://github.com/php/php-src/pull/2684 gets included I was more thinking of a more general approach as PDO is not the only place where passwords are transfered. So having a generic Password-VO that could be used like a password-string for BC but would not show up in stack-traces - or at least not the cleartext-password - might improve the security aspect regardless of where the password will be used. Yes, at one point the cleartext-password needs to be handed over to the VO and before that it will appear in stack-traces. I did a userland-implementation but it still requires to hand over the cleartext-password to relevant functions in PHP and there the stacktrace can again leak the password. So having such a functionality in the core would improve things. Cheers Andreas >=20 > Cheers, > Sjon >=20 > On Thu, Jun 13, 2019 at 9:56 AM Andreas Heigl wrote= : >=20 >> Hey All >> >> Am 13.06.19 um 09:41 schrieb Nikita Popov: >>> On Thu, Jun 13, 2019 at 9:35 AM Lester Caine wrote:= >>> >>>> Seen in the wild ... company name sanitised >>>> >>>> Warning: mysqli::mysqli(): (HY000/2002): No such file or directory i= n >>>> /home/888/public_html/system/library/db/mysqli.php on line 7 >>>> >>>> Fatal error: Uncaught exception 'Exception' with message 'Error: >>> />Error No: ' in /home/888/public_html/system/library/db/mysqli.php:= 10 >>>> Stack trace: #0 >>>> /home/888/public_html/system/nitro/core/nitro_db.php(29): >>>> DB\MySQLi->__construct('localhost', '888_4y65f5...', >>>> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #1 >>>> /home/888/public_html/system/nitro/core/nitro_db.php(13): >>>> NitroDb->__construct('mysqli', 'localhost', '888_4y65f5...', >>>> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #2 >>>> >> /home/888/public_html/system/storage/modification/system/library/db.ph= p(11): >>>> >>>> NitroDb::getInstanceWithParams('mysqli', 'localhost', '888_4y65f5...= ', >>>> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #3 >>>> /home/888/public_html/system/framework.php(36): >>>> DB->__construct('mysqli', 'localhost', '888_4y65f5...', >>>> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #4 >>>> /home/888/public_html/vqmod/vqcache/vq2-system_startup.php(124): >>>> require_once('/home/888 in >>>> /home/888/public_html/system/library/db/mysqli.php on line 10 >>>> =E4=BD=A0=E7=9A=84=E4=BB=A3=E7=A0=81=E5=87=BA=E9=94=99=E4=BA=86=EF=BC= =9A >>>> >>>> I presume something has been updated that they have not been aware o= f >>>> since it's library file that triggered the warning ... but it's not = the >>>> first time in recent years I've seen this sort of information on >>>> commercial sites and while my own clients just get white screens, th= ose >>>> are created by the likes of Wordpress when 'automatic updates' happe= n. >>>> >>>> Many years ago the response was "well don't update", but 'current >>>> practice' takes that out of OUR hands! So isn't it time that the >>>> triggering exceptions like this did produce a more user secure respo= nse >>>> to protect against leaks like this and provide a better alternative = than >>>> a white screen? >>>> >>>> In the case of this live site, I actually placed an order as it was = only >>>> some links that triggered the fault, which may explain why they were= not >>>> even aware there was a problem :( From the 'development' side, Nitro= Db-> >>>> should obviously be handling the problem anyway. >>>> >>> >>> display_errors=3DOff in production. >>> >> >> While that makes absolute sense perhaps thinking whether there is a wa= y >> to mark password-parameters in core-functions and hide them in >> Stack-traces might improve security as that would also hide >> user-provided credentials in log-files. >> That would not target userland methods/functions. Though having a >> Core-Value-object for credentials might even allow *that* >> >> Just my 0.02 =E2=82=AC >> >> Cheers >> >> Andreas >> -- >> ,,, >> (o o) >> +---------------------------------------------------------ooO-(_)-Ooo-= + >> | Andreas Heigl = | >> | mailto:andreas@heigl.org N 50=C2=B022'59.5" E 08=C2= =B023'58" | >> | http://andreas.heigl.org http://hei.gl/wiFKy7 = | >> +---------------------------------------------------------------------= + >> | http://hei.gl/root-ca = | >> +---------------------------------------------------------------------= + >> >> >=20 --=20 ,,, (o o) +---------------------------------------------------------ooO-(_)-Ooo-+ | Andreas Heigl | | mailto:andreas@heigl.org N 50=C2=B022'59.5" E 08=C2=B0= 23'58" | | http://andreas.heigl.org http://hei.gl/wiFKy7 | +---------------------------------------------------------------------+ | http://hei.gl/root-ca | +---------------------------------------------------------------------+ --PcttRdBajYVYoHZopOZvVRL8RGcrzzyqd-- --999zTsfpnmmTtxlUIpX8zK5dbsN9ywFWU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOHo7et0VdZk8RJK34Ff+SCK3tkUFAl0CU+kACgkQ4Ff+SCK3 tkXBJRAAlcRg5Y3J24l9/s4fBlSp8EjuLk4QKjVAEH3mSh6yPnBbEvc8XS6raF74 MNAPvXHrmWcCyqw3kM53SWt5ahKx9AfcN66kZwW25M4NR7VuHA+0XPB5PEOYQi1a gJTFse/jC5LpZqmzPIe8taEpXhmGMV6JoTMsHh22ktm8vU90gX2QSV5vMk98pwP5 DhsZc39LNhl5k/EBgR65JOvStfjnhCV3L5LhPukaeG/w0SeJI2L32i3eZKMoHGZM raFvkYBpa+TBYQZUsl4zM+9mSZDKsK2d3PXShsAnZ0bdp3dalVK/JZYx+OZ5d5Aa qUDoV+27BApWBEnyidqkw5nTwK6DLP/yN5S0q9M5kI0ttlZuSGAlcDOg+ZOymlBP iTxlT2AOnrgnBwno77nslFS8rORiboEucsox+eV+0Oq/Wap0m1y3dJf0LooomH3A LY7Y34PtZD9iutBhei40A0xuKaMJLTTtQmBjjqRS4qWq0k0XAvEC3IDglQtD/BEM w1OcklTPpPzJSpsKA5c3NS14+bUGtiwy85wHyocp0feQjJDSyqgFYb3qfhNlY3hN Cxhmrs7MwGTG39aqXu2/y6uVjOUxgy8PNmAGkHD6sWgZLwTtozS/fn2Nub6k2do4 sAxR9OU0HgDhNdpSrbNveX20lTYVGKIXDB9qu5lBTvn9/PHm+ZQ= =QNy8 -----END PGP SIGNATURE----- --999zTsfpnmmTtxlUIpX8zK5dbsN9ywFWU--