View Issue Details

IDProjectCategoryView StatusLast Update
0000683XMB1Bugspublic2024-05-18 06:03
Reporterlottos Assigned Tomiqrogroove  
PrioritylowSeveritytextReproducibilityN/A
Status resolvedResolutionfixed 
Product Version1.9.8 SP2 
Target Version1.9.12.07Fixed in Version1.9.12.07 
Summary0000683: config.php warn about ' in password
Descriptionin config.php, recommend adding a comment near $dbpw
eg:
// do not include the character ' in the password
(and any other characters that may cause an issue, ; could be a contender too
or the install script could check for those characters that cause an issue)

for example
$dbpw = 's6gfOpj'&s'; // Password used to access it
will result in a "This page isn’t working www.example.com is currently unable to handle this request.
HTTP ERROR 500" error.
TagsNo tags attached.
MySQL Version
PHP Version
Web Server
Browser
Flags
Original Reporter
SVN Revision3056

Relationships

related to 0000153 closedmiqrogroove Input Sanitization for Installer 

Activities

flushedpancake

2024-04-01 15:53

reporter   ~0000436

Wouldn't using double quotes or adding backslashes to the input (fun) theoretically fix this?

flushedpancake

2024-04-01 16:14

reporter   ~0000437

0000153
Seems like this has been tracked since 2008 :P

lottos

2024-04-01 22:09

updater   ~0000438

Still catching people out - suspect this was the cause of the error reported on the forum here:
https://forums.xmbforum2.com/viewthread.php?tid=777148

and it also got me when installing a new instance of xmb, so at the least, a comment in the config file would have helped

miqrogroove

2024-04-09 15:50

administrator   ~0000465

Just for argument's sake, this syntax is not unique to the $dbpw variable, or even passwords in general. There's nothing really preventing $full_url from containing an apostrophe, except that there's a standards-based rule that it should be url-encoded in that context. The SMTP username field is even more liberal as to its use and meaning.

So I'm reading this like a warning that PHP files have to conform to the PHP syntax. Which would be a silly nuisance on its own.

Is there a root problem here other than folks not knowing how PHP works? Do we need to add a link to the PHP manual?

p.s. Semicolons are not a problem. But you're opening a can of worms in the world of backslashes. Usernames and passwords containing backslashes are all kinds of fun because they won't cause parser errors.

lottos

2024-04-09 16:05

updater   ~0000466

Not everyone who installs a forum is a php expert or even a php novice. The problem as I see it is if someone creates a password in the config file that ends up seeing a 'HTTP ERROR 500' isn't going to be aware that it's the character(s) in the dbpw file as the cause, they will probably just assume the install (or forum) simply doesn't work. Hence the recommendation of a comment near the setting.

miqrogroove

2024-04-09 17:27

administrator   ~0000467

It's among the myriad problems with the install script. I would think that sandboxing the config file and reporting syntax errors in a health check manner would be more intuitive than burying a note in the source code. If the syntax is still a concern, a different file format would help too.

lottos

2024-04-09 17:30

updater   ~0000468

Suppose so.

From my perspective, I usually edit the file manually and change settings so the comment would be a reminder.

flushedpancake

2024-04-10 10:43

reporter   ~0000479

I'm guessing this can be marked as a duplicate of the other issue being tracked?

miqrogroove

2024-04-10 13:07

administrator   ~0000481

Last edited: 2024-04-10 13:07

I'm not entirely sure at this point. lottos are you manually editing the file to workaround the other bugs? Or do you just always manually edit the file? There's a revised installer in the SVN trunk, soon to be released.

miqrogroove

2024-04-20 08:25

administrator   ~0000487

Let's call this a text change for the next patch. Sandboxing the config file would be less elegant than switching to a cleaner file format, and that would have to be part of a version upgrade script in the larger context. Meanwhile, there are settings in the config file that shouldn't be there in the first place, so the whole thing could be re-designed.

miqrogroove

2024-04-24 08:37

administrator   ~0000506

Decided sandboxing isn't so bad for a patch. This will display the error even when errors are not normally displayed. Switching file formats still a good plan if there's a new major version.

Issue History

Date Modified Username Field Change
2024-01-24 21:51 lottos New Issue
2024-04-01 15:53 flushedpancake Note Added: 0000436
2024-04-01 16:14 flushedpancake Note Added: 0000437
2024-04-01 22:05 lottos Relationship added related to 0000153
2024-04-01 22:09 lottos Note Added: 0000438
2024-04-09 15:50 miqrogroove Note Added: 0000465
2024-04-09 16:05 lottos Note Added: 0000466
2024-04-09 17:27 miqrogroove Note Added: 0000467
2024-04-09 17:30 lottos Note Added: 0000468
2024-04-10 10:43 flushedpancake Note Added: 0000479
2024-04-10 13:07 miqrogroove Note Added: 0000481
2024-04-10 13:07 miqrogroove Note Edited: 0000481
2024-04-20 08:25 miqrogroove Severity minor => text
2024-04-20 08:25 miqrogroove Status new => confirmed
2024-04-20 08:25 miqrogroove Product Version 1.9.12.05 => 1.9.8 SP2
2024-04-20 08:25 miqrogroove Target Version => 1.9.12.07
2024-04-20 08:25 miqrogroove Note Added: 0000487
2024-04-24 06:09 miqrogroove Assigned To => miqrogroove
2024-04-24 06:09 miqrogroove Status confirmed => assigned
2024-04-24 08:37 miqrogroove Status assigned => resolved
2024-04-24 08:37 miqrogroove Resolution open => fixed
2024-04-24 08:37 miqrogroove Fixed in Version => 1.9.12.07
2024-04-24 08:37 miqrogroove SVN Revision => 3056
2024-04-24 08:37 miqrogroove Note Added: 0000506
2024-05-18 06:03 miqrogroove Category Meta => Bugs