Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2023-02-26 14:36:43

lindabb
Member
Registered: 2023-02-17
Posts: 132

Error reporting and $production_status

Hello,
As I’m testing this nice CMS, going through all kind scenarios , one the scenario is to stop mysql and see what error I get!
stopped mysql, and I got full descriptive error that include even db name, user name and password as shown below:

Fatal error: Uncaught mysqli_sql_exception:
No connection could be made because the target machine actively refused it in
C:\www\textpattern\textpattern\lib\txplib_db.php:247 Stack trace: #0
C:\www\textpattern\textpattern\lib\txplib_db.php(247): mysqli_real_connect(Object(mysqli), ‘localhost’, ‘user_name’, ‘pssword’, ‘db_name’, ‘3306’, ‘’, 2) #1
C:\www\textpattern\textpattern\lib\txplib_db.php(288): DB->__construct() #2
C:\www\textpattern\textpattern\publish.php(44): include_once(‘C:\\www\\textpa…’) #3
C:\www\textpattern\index.php(72): include(‘C:\\www\\textpa…’) #4 {main} thrown in
C:\www\textpattern\textpattern\lib\txplib_db.php on line 247

Note: I replaced user name , password and db name to avoid confusing.
1- So, after looked around , I found many $production_status looking for live or debug
and I assume looking for db admin settings, because there is no such thing in config file, if the db connection not available from where $production_status reading it?
2-if I set ini_set("display_errors", "0"); // disabled it in .\textpattern\index.php no error at all, just blank page! 3-Same issue when disabled in ini_set(“display_errors”, “0”); in .\textpattern\textpattern\index.php just blank page.

If I’m not missing anything, then is is a big security hole, if user just installs the default settings,
Unless I’m missing some configuration as I’m new user of textpattern.

I host my site with cheap US based company (HG hosting) , every other week I get email telling me connection timed out (In my connect I send email to myself with error message, while I show nice complete html (to avoid SEO issue) page without letting the user knows there is error.

Thank you for any suggestion

Last edited by lindabb (2023-02-26 14:39:27)

Offline

#2 2023-02-26 18:13:12

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,468
Website GitHub

Re: Error reporting and $production_status

In theory, if your production status is set to Live you should not see any error messages under any circumstances. If that is not working in some cases, we definitely need to see if we can close those to prevent credentials leaking.

It should only report more serious warnings in Testing mode, and then full debug stack trace info in Debug mode.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#3 2023-02-26 19:29:59

lindabb
Member
Registered: 2023-02-17
Posts: 132

Re: Error reporting and $production_status

Thank you Bloke,
My production status is Live on admin page (site menu) ,
and my php.ini error reporting off (display_errors = Off),
is there any other place to charge the production status other than admin page ?

Thank you again

Offline

#4 2023-02-26 19:58:09

lindabb
Member
Registered: 2023-02-17
Posts: 132

Re: Error reporting and $production_status

I checked \textpattern\lib\txplib_db.php line 247 looks die(db_down()); not triggering
for my testing , I added try catch and worked

try {
        if (!mysqli_real_connect($this->link, $this->host, $this->user, $this->pass, $this->db, $this->port, $this->socket, $this->client_flags)) 
	{
              die(db_down());
        }
		}catch (Exception $e){
       //$error = $e->getMessage();
			echo 'something wrong';   //$error;
			die();
		}

maybe only with php 8.x ! not sure.
will be nice to just stop mysql and test it LOL in your testing computer.

Thank you

Offline

#5 2023-02-26 21:00:57

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,468
Website GitHub

Re: Error reporting and $production_status

I think echoing $e->getMessage(); is probably not a good idea in this instance as it could leak connection details. What we should probably do is catch the error and output our own message.

Thank you, I’ll run some tests and see what we can do about this.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#6 2023-02-26 23:38:20

etc
Developer
Registered: 2010-11-11
Posts: 5,237
Website GitHub

Re: Error reporting and $production_status

My local xampp outputs Object(SensitiveParameterValue) instead of password, so I think it’s partly a php responsibility too. But yes, we should patch it, thank you for the report.

Offline

#7 2023-02-27 00:23:02

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,468
Website GitHub

Re: Error reporting and $production_status

Hmm, I can’t make my local MAMP fall over that way by merely stopping mysqld. I just get Database unavailable. If you’re able to get yours to break, by all means patch it, Oleg, thank you.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#8 2023-02-27 10:18:03

etc
Developer
Registered: 2010-11-11
Posts: 5,237
Website GitHub

Re: Error reporting and $production_status

Ok, try this catch. It should output Database unavailable now.

Offline

#9 2023-02-27 13:08:59

lindabb
Member
Registered: 2023-02-17
Posts: 132

Re: Error reporting and $production_status

Thank you all for checking it out, this is nice to see developers care about the issue.
maybe instead showing “Database unavailable” allow the user to customize the error;
like this

try { if (!mysqli_real_connect($this->link, $this->host, $this->user, $this->pass, $this->db, $this->port, $this->socket, $this->client_flags)) { die(db_down()); } }catch (Exception $e){ die(db_down($e->getMessage())); }

and on db_down

function db_down($errormsg)
{ //user can pass the error if needed // you can check the file if exist include it , if not just output the html text as you have now. include ‘files/error.php’;
}

Thank you

Offline

#10 2023-02-27 13:36:40

etc
Developer
Registered: 2010-11-11
Posts: 5,237
Website GitHub

Re: Error reporting and $production_status

lindabb wrote #334799:

Thank you all for checking it out, this is nice to see developers care about the issue.
maybe instead showing “Database unavailable” allow the user to customize the error;
like this

Needs thinking, since $e->getMessage() contains sensitive information. We could, for example, introduce a callback to db_down() function that leaves the hand to disk-based plugins if necessary. Thanks for the suggestion.

Offline

#11 2023-02-27 13:52:21

lindabb
Member
Registered: 2023-02-17
Posts: 132

Re: Error reporting and $production_status

Thank you, sure, I agree,
can usr something like this

try
{ // connect
} catch ($e->getMessage()) )
{ switch (ex.Number) { case 0: msg= “Cannot connect to server. Contact administrator”; break; case 1045: msg= “Invalid username/password, please try again”; break; }
}

Last edited by lindabb (2023-02-27 13:53:35)

Offline

#12 2023-02-28 14:03:52

etc
Developer
Registered: 2010-11-11
Posts: 5,237
Website GitHub

Re: Error reporting and $production_status

Well, plugins would not do, since they are loaded after db connection attempt. And pre_publish_script is run before db is connected. Do we need a new error_script? And then should it be called on each (fatal) error?

Offline

Board footer

Powered by FluxBB