View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000683 | XMB1 | Meta | public | 2024-01-24 21:51 | 2024-04-24 08:37 |
| Reporter | lottos | Assigned To | miqrogroove | ||
| Priority | low | Severity | text | Reproducibility | N/A |
| Status | resolved | Resolution | fixed | ||
| Product Version | 1.9.8 SP2 | ||||
| Target Version | 1.9.12.07 | Fixed in Version | 1.9.12.07 | ||
| Summary | 0000683: config.php warn about ' in password | ||||
| Description | in config.php, recommend adding a comment near $dbpw eg: // do not include the character ' in the password (and any other characters that may cause an issue, ; could be a contender too or the install script could check for those characters that cause an issue) for example $dbpw = 's6gfOpj'&s'; // Password used to access it will result in a "This page isn’t working www.example.com is currently unable to handle this request. HTTP ERROR 500" error. | ||||
| Tags | No tags attached. | ||||
| MySQL Version | |||||
| PHP Version | |||||
| Web Server | |||||
| Browser | |||||
| Flags | |||||
| Original Reporter | |||||
| SVN Revision | 3056 | ||||
| related to | 0000153 | closed | miqrogroove | Input Sanitization for Installer |
|
|
Wouldn't using double quotes or adding backslashes to the input (fun) theoretically fix this? |
|
|
0000153 Seems like this has been tracked since 2008 :P |
|
|
Still catching people out - suspect this was the cause of the error reported on the forum here: https://forums.xmbforum2.com/viewthread.php?tid=777148 and it also got me when installing a new instance of xmb, so at the least, a comment in the config file would have helped |
|
|
Just for argument's sake, this syntax is not unique to the $dbpw variable, or even passwords in general. There's nothing really preventing $full_url from containing an apostrophe, except that there's a standards-based rule that it should be url-encoded in that context. The SMTP username field is even more liberal as to its use and meaning. So I'm reading this like a warning that PHP files have to conform to the PHP syntax. Which would be a silly nuisance on its own. Is there a root problem here other than folks not knowing how PHP works? Do we need to add a link to the PHP manual? p.s. Semicolons are not a problem. But you're opening a can of worms in the world of backslashes. Usernames and passwords containing backslashes are all kinds of fun because they won't cause parser errors. |
|
|
Not everyone who installs a forum is a php expert or even a php novice. The problem as I see it is if someone creates a password in the config file that ends up seeing a 'HTTP ERROR 500' isn't going to be aware that it's the character(s) in the dbpw file as the cause, they will probably just assume the install (or forum) simply doesn't work. Hence the recommendation of a comment near the setting. |
|
|
It's among the myriad problems with the install script. I would think that sandboxing the config file and reporting syntax errors in a health check manner would be more intuitive than burying a note in the source code. If the syntax is still a concern, a different file format would help too. |
|
|
Suppose so. From my perspective, I usually edit the file manually and change settings so the comment would be a reminder. |
|
|
I'm guessing this can be marked as a duplicate of the other issue being tracked? |
|
|
I'm not entirely sure at this point. lottos are you manually editing the file to workaround the other bugs? Or do you just always manually edit the file? There's a revised installer in the SVN trunk, soon to be released. |
|
|
Let's call this a text change for the next patch. Sandboxing the config file would be less elegant than switching to a cleaner file format, and that would have to be part of a version upgrade script in the larger context. Meanwhile, there are settings in the config file that shouldn't be there in the first place, so the whole thing could be re-designed. |
|
|
Decided sandboxing isn't so bad for a patch. This will display the error even when errors are not normally displayed. Switching file formats still a good plan if there's a new major version. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-01-24 21:51 | lottos | New Issue | |
| 2024-04-01 15:53 | flushedpancake | Note Added: 0000436 | |
| 2024-04-01 16:14 | flushedpancake | Note Added: 0000437 | |
| 2024-04-01 22:05 | lottos | Relationship added | related to 0000153 |
| 2024-04-01 22:09 | lottos | Note Added: 0000438 | |
| 2024-04-09 15:50 | miqrogroove | Note Added: 0000465 | |
| 2024-04-09 16:05 | lottos | Note Added: 0000466 | |
| 2024-04-09 17:27 | miqrogroove | Note Added: 0000467 | |
| 2024-04-09 17:30 | lottos | Note Added: 0000468 | |
| 2024-04-10 10:43 | flushedpancake | Note Added: 0000479 | |
| 2024-04-10 13:07 | miqrogroove | Note Added: 0000481 | |
| 2024-04-10 13:07 | miqrogroove | Note Edited: 0000481 | |
| 2024-04-20 08:25 | miqrogroove | Severity | minor => text |
| 2024-04-20 08:25 | miqrogroove | Status | new => confirmed |
| 2024-04-20 08:25 | miqrogroove | Product Version | 1.9.12.05 => 1.9.8 SP2 |
| 2024-04-20 08:25 | miqrogroove | Target Version | => 1.9.12.07 |
| 2024-04-20 08:25 | miqrogroove | Note Added: 0000487 | |
| 2024-04-24 06:09 | miqrogroove | Assigned To | => miqrogroove |
| 2024-04-24 06:09 | miqrogroove | Status | confirmed => assigned |
| 2024-04-24 08:37 | miqrogroove | Status | assigned => resolved |
| 2024-04-24 08:37 | miqrogroove | Resolution | open => fixed |
| 2024-04-24 08:37 | miqrogroove | Fixed in Version | => 1.9.12.07 |
| 2024-04-24 08:37 | miqrogroove | SVN Revision | => 3056 |
| 2024-04-24 08:37 | miqrogroove | Note Added: 0000506 |
