From: Brion Vibber <brion@users.mediawiki.org>
Date: Wed, 11 Oct 2006 18:57:49 +0000 (+0000)
Subject: * Disable PHP exception backtrace printing unless $wgShowExceptionDetails
X-Git-Tag: 1.31.0-rc.0~55534
X-Git-Url: https://git.cyclocoop.org/%28%28?a=commitdiff_plain;h=6c86df8f2f3d64a3115f322a0cd944aabfc192c5;p=lhc%2Fweb%2Fwiklou.git

* Disable PHP exception backtrace printing unless $wgShowExceptionDetails
  is set. Backtraces may contain sensitive information in function call
  parameters.
---

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 104bb17205..34a1ab4235 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -33,6 +33,9 @@ it from source control: http://www.mediawiki.org/wiki/Download_from_SVN
 * Fix PHP notice and estimates for dumpBackup.php and friends
 * Improved register_globals paranoia checks
 * (bug 7545) Fix PHP version check on install
+* Disable PHP exception backtrace printing unless $wgShowExceptionDetails
+  is set. Backtraces may contain sensitive information in function call
+  parameters.
 
 
 == Languages updated ==
diff --git a/includes/DefaultSettings.php b/includes/DefaultSettings.php
index bb7b76b8be..fcc1dc1a7c 100644
--- a/includes/DefaultSettings.php
+++ b/includes/DefaultSettings.php
@@ -789,6 +789,14 @@ $wgShowSQLErrors        = false;
  */
 $wgColorErrors          = true;
 
+/**
+ * If set to true, uncaught exceptions will print a complete stack trace
+ * to output. This should only be used for debugging, as it may reveal
+ * private information in function parameters due to PHP's backtrace
+ * formatting.
+ */
+$wgShowExceptionDetails = false;
+
 /**
  * disable experimental dmoz-like category browsing. Output things like:
  * Encyclopedia > Music > Style of Music > Jazz
diff --git a/includes/Exception.php b/includes/Exception.php
index 696454d052..56f18d5ac6 100644
--- a/includes/Exception.php
+++ b/includes/Exception.php
@@ -20,16 +20,28 @@ class MWException extends Exception
 			return wfMsgReplaceArgs( $fallback, $args );
 		}
 	}
-			
+
 	function getHTML() {
-		return '<p>' . htmlspecialchars( $this->getMessage() ) . 
-			'</p><p>Backtrace:</p><p>' . nl2br( htmlspecialchars( $this->getTraceAsString() ) ) .
-			"</p>\n";
+		global $wgShowExceptionDetails;
+		if( $wgShowExceptionDetails ) {
+			return '<p>' . htmlspecialchars( $this->getMessage() ) . 
+				'</p><p>Backtrace:</p><p>' . nl2br( htmlspecialchars( $this->getTraceAsString() ) ) .
+				"</p>\n";
+		} else {
+			return "<p>Set <b><tt>\$wgShowExceptionDetails = true;</tt></b> " .
+				"in LocalSettings.php to show detailed debugging information.</p>";
+		}
 	}
 
 	function getText() {
-		return $this->getMessage() .
-			"\nBacktrace:\n" . $this->getTraceAsString() . "\n";
+		global $wgShowExceptionDetails;
+		if( $wgShowExceptionDetails ) {
+			return $this->getMessage() .
+				"\nBacktrace:\n" . $this->getTraceAsString() . "\n";
+		} else {
+			return "<p>Set <tt>\$wgShowExceptionDetails = true;</tt> " .
+				"in LocalSettings.php to show detailed debugging information.</p>";
+		}
 	}
 	
 	function getPageTitle() {