Flarum leaks password when it can't connect to the database #1421
Description
Explanation
When the forum can't connect to the database (for example, mysql server is down), the exception leaks all the config related to mysql, including username and password
_PDO->_construct('mysql:host=127....', 'fakeUsername', 'fakePassword', Array) is shown at least three times
Technical details
- Version of Flarum: 0.1.0-beta.7
- Website URL where the bug is visible: https://edoras.es/foro (not now that the db is back online)
- The webserver you are running: caddy
- PHP version: 7.1.17
- Hosted environment: vps
- Hosting provider: http://ovh.com
Flarum info
Flarum core 0.1.0-beta.6
PHP 7.1.17
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, pcntl, readline, Reflection, SPL, session, standard, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, json, ldap, exif, mcrypt, mysqlnd, odbc, PDO, Phar, posix, shmop, SimpleXML, soap, sockets, sqlite3, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlwriter, xsl, mysqli, pdo_mysql, PDO_ODBC, pdo_sqlite, wddx, xmlreader, xmlrpc, Zend OPcache
EXT flagrow-analytics 0.5.0
EXT flarum-approval v0.1.0-beta.6
EXT flarum-bbcode v0.1.0-beta.5
EXT sijad-details 0.1.2
EXT flarum-emoji v0.1.0-beta.6
EXT clarkwinkelmann-emojionearea 0.1.2
EXT flarum-flags v0.1.0-beta.6
EXT flarum-likes v0.1.0-beta.6
EXT sijad-links 0.1.0-beta.6
EXT flarum-lock v0.1.0-beta.6
EXT flarum-markdown v0.1.0-beta.5
EXT xengine-markdown-editor 1.3.1
EXT flarum-mentions v0.1.0-beta.7
EXT sijad-pages 0.1.0-beta.3
EXT davis-securehttps 0.1.0-beta5
EXT avatar4eg-share-social 0.2.3
EXT davis-socialprofile 0.2.3
EXT flarumes-spanish v0.1.0-beta.6
EXT flarum-sticky v0.1.0-beta.6
EXT flarum-subscriptions v0.1.0-beta.6
EXT flarum-suspend v0.1.0-beta.6
EXT flarum-tags v0.1.0-beta.7
EXT avatar4eg-users-list 0.1.1
Base URL: https://edoras.es/foro
Installation path: /var/www/edoras/foro
Log files
Fatal error: Uncaught PDOException: SQLSTATE[HY000] [1045] Access denied for user 'fakeUsername'@'localhost' (using password: YES) in /var/www/edoras/foro/vendor/illuminate/database/Connectors/Connector.php:55 Stack trace: #0 /var/www/edoras/foro/vendor/illuminate/database/Connectors/Connector.php(55): PDO->__construct('mysql:host=127....', 'fakeUsername', 'fakePassword', Array) #1 /var/www/edoras/foro/vendor/illuminate/database/Connectors/MySqlConnector.php(22): Illuminate\Database\Connectors\Connector->createConnection('mysql:host=127....', Array, Array) #2 /var/www/edoras/foro/vendor/illuminate/database/Connectors/ConnectionFactory.php(60): Illuminate\Database\Connectors\MySqlConnector->connect(Array) #3 /var/www/edoras/foro/vendor/illuminate/database/Connectors/ConnectionFactory.php(49): Illuminate\Database\Connectors\ConnectionFactory->createSingleConnection(Array) #4 /var/www/edoras/foro/vendor/flarum/core/src/Database/DatabaseServiceProvider.php(29): Illuminate\Database\Connectors\ConnectionFactory->make(Array) #5 in /var/www/edoras/foro/vendor/illuminate/database/Connectors/Connector.php on line 55
05/May/2018:17:45:17 +0200 [ERROR 0 /foro/] PHP message: PHP Fatal error: Uncaught PDOException: SQLSTATE[HY000] [1045] Access denied for user 'fakeUsername'@'localhost' (using password: YES) in /var/www/edoras/foro/vendor/illuminate/database/Connectors/Connector.php:55 Stack trace: #0 /var/www/edoras/foro/vendor/illuminate/database/Connectors/Connector.php(55): PDO->__construct('mysql:host=127....', 'fakeUsername', 'fakePassword', Array) #1 /var/www/edoras/foro/vendor/illuminate/database/Connectors/MySqlConnector.php(22): Illuminate\Database\Connectors\Connector->createConnection('mysql:host=127....', Array, Array) #2 /var/www/edoras/foro/vendor/illuminate/database/Connectors/ConnectionFactory.php(60): Illuminate\Database\Connectors\MySqlConnector->connect(Array) #3 /var/www/edoras/foro/vendor/illuminate/database/Connectors/ConnectionFactory.php(49): Illuminate\Database\Connectors\ConnectionFactory->createSingleConnection(Array) #4 /var/www/edoras/foro/vendor/flarum/core/src/Database/DatabaseServiceProvider.php(29): Illuminate\Database\Connectors...
This is shown at the web browser to all the clients that connects to the forum when it can't connect
Yes, the username and password are changed to recreate the bug
Metadata
Metadata
Assignees
Labels
No labels