Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

PDO security fix (for ppl not having error reporting turned off on pr…

…oduction).
  • Loading branch information...
commit 9f93316019ddd77b6a0ee95968965604cad185ea 1 parent 8268d02
@gabordemooij authored
Showing with 23 additions and 16 deletions.
  1. +20 −15 RedBean/Driver/PDO.php
  2. +3 −1 testing/RedUNIT/Blackhole/Misc.php
View
35 RedBean/Driver/PDO.php
@@ -116,21 +116,26 @@ public function __construct($dsn, $user = null, $pass = null) {
*/
public function connect() {
if ($this->isConnected) return;
- $user = $this->connectInfo['user'];
- $pass = $this->connectInfo['pass'];
- //PDO::MYSQL_ATTR_INIT_COMMAND
- $this->pdo = new PDO(
- $this->dsn,
- $user,
- $pass,
- array(1002 => 'SET NAMES utf8',
- PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
- PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
-
- )
- );
- $this->pdo->setAttribute(PDO::ATTR_STRINGIFY_FETCHES, true);
- $this->isConnected = true;
+ try {
+ $user = $this->connectInfo['user'];
+ $pass = $this->connectInfo['pass'];
+ //PDO::MYSQL_ATTR_INIT_COMMAND
+ $this->pdo = new PDO(
+ $this->dsn,
+ $user,
+ $pass,
+ array(1002 => 'SET NAMES utf8',
+ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+ PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
+
+ )
+ );
+ $this->pdo->setAttribute(PDO::ATTR_STRINGIFY_FETCHES, true);
+ $this->isConnected = true;
+ }
+ catch(PDOException $e) {
+ throw new PDOException('Could not connect to database.');
+ }
}
/**
View
4 testing/RedUNIT/Blackhole/Misc.php
@@ -97,7 +97,7 @@ public function run() {
asrt($band->property3,123);
asrt($band->property4,345);
- testpack('Test blackhold DSN and setup()');
+ testpack('Test blackhole DSN and setup()');
R::setup('blackhole:database');
pass();
@@ -108,6 +108,8 @@ public function run() {
}
catch(PDOException $e){
pass();
+ //make sure the message is non-descriptive - avoid revealing security details if user hasnt configured error reporting improperly.
+ asrt($e->getMessage(),'Could not connect to database.');
}
testpack('Can we pass a PDO object to Setup?');
Please sign in to comment.
Something went wrong with that request. Please try again.