Last modified: 2014-03-05 06:52:39 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T28811, the corresponding Phabricator task for complete and up-to-date bug report information.
Bug 26811 - Database connection errors display IP address
Database connection errors display IP address
Status: RESOLVED FIXED
Product: MediaWiki
Classification: Unclassified
Database (Other open bugs)
1.16.x
All All
: Normal normal (vote)
: 1.23.0 release
Assigned To: Kevin Israel (PleaseStand)
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-19 22:58 UTC by sam.w.gabriel
Modified: 2014-03-05 06:52 UTC (History)
5 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Attachments

Description sam.w.gabriel 2011-01-19 22:58:17 UTC
A database server disconnection, either as the result of a network failure or a failure of the database server itself, results in a message that contains the internal IP address of the database server. This is a security vulnerability.

The code that generates these messages, in includes/db/Database.php is:

<pre>
$sorry = 'Sorry! This site is experiencing technical difficulties.';
$again = 'Try waiting a few minutes and reloading.';
$info  = '(Can\'t contact the database server: $1)';

if ( $wgLang instanceof Language ) {
	$sorry = htmlspecialchars( $wgLang->getMessage( 'dberr-problems' ) );
	$again = htmlspecialchars( $wgLang->getMessage( 'dberr-again' ) );
	$info  = htmlspecialchars( $wgLang->getMessage( 'dberr-info' ) );
}
</pre>

The dberr-info message is the same as the hard-coded default value for the $info variable. Both contain a variable $1, and the $1 variable is later replaced by the error message from the server. The easiest way to correct the vulnerability is to change the text of the dberr-info message so that it doesn't contain the $1 variable. We want to change

    (Cannot contact the database server: $1)

to

    (Cannot contact the database server)

There are two ways that this is normally done, one via the wiki user interface and the other via code.  To make the change via the wiki, one uses the "System messages" special page in the "Wiki data and tools" category. To make the change via code, one adds a message filter function to the MessagesPreLoad hook.

Both of these methods were tried, and neither was successful. A further review of the code indicated that the ''$wgLang->getMessage'' call bypasses both of the methods described above for changing error messages. If the ''wfMsg'' global function had been used in place of the ''$wgLang->getMessage'' call, the messages could have been changed.

Further testing, however, revealed that the source of the error messages was not the ''$wgLang->getMessage'' call, but the hard-coded strings set above this call.

To correct this issue changes must be made to the following two core files:
# includes/db/Database.php
# languages/messages/MessagesEn.php

The two sed scripts below, executed on the web server, were found to correct the vulnerability in the MediaWiki 1.16.0 core code in its standard location:

<pre>
sed -r -i.bak "/^'dberr-info'/s/: [$]1//" \
    languages/messages/MessagesEn.php

sed -r -i.bak "/[$]info  = '[(]Can/s/: [$]1//" \
    includes/db/Database.php
</pre>

This problem will be reported to MediaWiki so that the core doesn't need to be patched with each release. The user should be able to change the text of these messages without having to patch core MediaWiki.
Comment 1 Chad H. 2011-01-19 23:11:02 UTC
Behavior should probably be conditional based on $wgShowSQLErrors.
Comment 2 Sumana Harihareswara 2013-02-22 02:26:44 UTC
Sam W. Gabriel, would you mind getting developer access https://www.mediawiki.org/wiki/Developer_access and committing your patches, or at least telling us here in BZ whether those are still the diffs between the files in the MediaWiki trunk and the fixed files on your server?

How to submit a patch to our Git repo: https://www.mediawiki.org/wiki/Git/Tutorial

Thank you.
Comment 3 Kevin Israel (PleaseStand) 2013-03-04 11:32:30 UTC
Gerrit change #52029
Comment 4 Alex Monk 2013-03-07 00:53:15 UTC
(In reply to comment #0)
> a message that contains the internal IP address of the database server. This is a security vulnerability.

That doesn't sound right to me. I'm leaning towards a RESOLVED INVALID here. IPs are not supposed to be private information.
Comment 5 Kevin Israel (PleaseStand) 2013-03-07 04:30:34 UTC
I disagree with the "security vulnerability" part as well; however, this report nevertheless describes an actual bug in the software, in that the database server's IP address may be shown even if both $wgShowHostnames and $wgShowSQLErrors are false.

Note that in some environments, private IP addresses are considered to be sensitive information (cf. PCI-DSS 2.0 Requirement 1.3.8 "Do not disclose private IP addresses and routing information to unauthorized parties.").
Comment 6 Gerrit Notification Bot 2013-09-03 21:02:39 UTC
Change 52029 merged by jenkins-bot:
Hide server IP addresses from DB error pages

https://gerrit.wikimedia.org/r/52029
Comment 7 Andre Klapper 2013-09-25 09:48:56 UTC
(In reply to comment #6)
> Change 52029 merged by jenkins-bot:
> Hide server IP addresses from DB error pages
> 
> https://gerrit.wikimedia.org/r/52029

Patch got merged - can this bug report be closed as RESOLVED FIXED or is more work required?
Comment 8 Kevin Israel (PleaseStand) 2013-09-25 09:57:24 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Change 52029 merged by jenkins-bot:
> > Hide server IP addresses from DB error pages
> > 
> > https://gerrit.wikimedia.org/r/52029
> 
> Patch got merged - can this bug report be closed as RESOLVED FIXED or is more
> work required?

I still have to fix DBUnexpectedError. *Then* I think we can close as RESOLVED FIXED.
Comment 9 Gerrit Notification Bot 2013-10-13 12:34:22 UTC
Change 89512 had a related patch set uploaded by PleaseStand:
Hide message for DBUnexpectedError exceptions

https://gerrit.wikimedia.org/r/89512
Comment 10 Andre Klapper 2014-02-17 19:26:48 UTC
https://gerrit.wikimedia.org/r/#/c/89512/ still needs rework.
Comment 11 Gerrit Notification Bot 2014-03-05 01:09:21 UTC
Change 89512 merged by jenkins-bot:
Hide message for DBUnexpectedError exceptions

https://gerrit.wikimedia.org/r/89512
Comment 12 Kevin Israel (PleaseStand) 2014-03-05 06:52:39 UTC
Fixed for DB connection and query errors in 1.22 (when both $wgShowHostnames and $wgShowSQLErrors are false), and fixed for DBUnexpectedErrors in master/1.23 (when $wgShowExceptionDetails is false).

Note You need to log in before you can comment on or make changes to this bug.


Navigation
Links