How about to output debugger "Context" only for 127.0.0.1 ? On Jun 22, 7:02 pm, mark_story <mark.st...@gmail.com> wrote: > It is the developer's fault, for deploying a system in a way it should > never be deployed. > > Since, I was working under the pre-tense that any developer who > actually cared about these kinds of things wouldn't make a stupid > mistake like this. And combined with the fact that removing the > passwords is a non-trivial problem, I punted on the issue. The place > where this error gets displayed from is inside Debugger, and its more > than non-trivial to filter through the various parts of output, > looking for things that follow password, and cutting them out. While > this is probably doable it will affect all the messages that Debugger > will create. > > I guess I underestimated the ability of people to screw up basic > deployment. If someone want's to prepare a patch, I'd be happy to > apply it so people who can't be bothered to properly deploy their > applications, can sleep better at night. > > -Mark > > On Jun 21, 10:22 am, Miles J <mileswjohn...@gmail.com> wrote: > > > > > > > > > I have brought this problem up before. Last time, the Cake devs said > > it was the developers fault and it will stay in. > > > -_- > > > On Jun 21, 8:23 am, looklook look <bashl...@gmail.com> wrote: > > > > Now you got my point ;) > > > > I have tried with google query to show database connection on Drupal, > > > Codeigniter, Wordpress and many else. > > > But yes, they can handle this database error carefully. > > > > So, i think this is critical issue that should fixed immediatelly. > > > > Thanks > > > > Yodihttp://yoodey.com > > > > On Tue, Jun 21, 2011 at 9:36 PM, Thomas Ploch > > > <profipl...@googlemail.com>wrote: > > > > > OMG, > > > > > I certainly could connect to __several__ mysql servers found with this > > > > google query. > > > > > Although I agree that this is a developer's mistake, I am sure that > > > > there are a lot of unskilled developers that are doing this because they > > > > just dont know it better. So removing those values from the output would > > > > be a +1 from me. > > > > > Regards, > > > > Thomas > > > > > Am Dienstag, den 21.06.2011, 06:02 -0700 schrieb chris: > > > > > I'm intrigued by this issue. > > > > > > Can someone explain what situations would the whole config var be > > > > > output? Is it only when an error occurs, and only when at a certain > > > > > debug level? I've never seen it displayed at all whilst developing > > > > > with cakePHP. > > > > > > Out of interested I googled the first part of the output, i.e. > > > > > > $config = array( "persistent" => false, > > > > > > and it certaintly suprised me how many sites this brings back with > > > > > passwords on show. > > > > > > On Jun 21, 12:46 pm, yodi <bashl...@gmail.com> wrote: > > > > > > Sorry, it was on random site build by CakePHP. > > > > > > > To Euromark, i found more than 100 website affected with this > > > > > > problem > > > > > > and i don't have much time to email them all. > > > > > > > I think, whether it debug > 0, Cakephp should'nt throw real password > > > > > > into CONTEXT. > > > > > > > I try searching another CMS and Framework. Using same method, i > > > > > > found > > > > > > nothing of them show real password where database error connection > > > > > > occured. > > > > > > > Yes, this is security issued for me. Which there are many developer > > > > > > using CakePHP. > > > > > > > To Larry, i can send you some message to show how much it's > > > > > > affected. > > > > It > > > > > > can be consideration. > > > > > > > Thanks > > > > > > > On Tue, 2011-06-21 at 06:13 -0500, Larry E. Masters wrote: > > > > > > > Are you saying this was on the CakePHP website or a random site > > > > > > > you > > > > > > > where visiting? > > > > > > > > -- > > > > > > > Larry E. Masters > > > > > > > > On Mon, Jun 20, 2011 at 2:18 PM, yoodey <bashl...@gmail.com> > > > > > > > wrote: > > > > > > > Hello all, > > > > > > > > I'm randomly browsing and get a website with Database > > > > > > > error > > > > > > > connection. > > > > > > > It gave me error page : Warning (2): mysql_connect() > > > > > > > [function.mysql- > > > > > > > connect]: Access denied for user ... > > > > > > > > So i click on Context option and got this information. > > > > > > > > $config = array( > > > > > > > "persistent" => false, > > > > > > > "host" => "xxxxxxxxxxxxxxxxxxx", > > > > > > > "login" => "dbxxxxx", > > > > > > > "password" => "dbtxxx", > > > > > > > "database" => "dbxxxxx", > > > > > > > "port" => "3306", > > > > > > > "driver" => "mysql", > > > > > > > "prefix" => "", > > > > > > > "encoding" => "UTF8" > > > > > > > ) > > > > > > > > To avoid other people doing bad thing, i'm not showing > > > > > > > real > > > > > > > error > > > > > > > information. > > > > > > > > I'm doing mysql command based on that information and > > > > > > > guest > > > > > > > what? I > > > > > > > got full access! > > > > > > > Curious with this error, i'm doing little research and > > > > > > > found > > > > > > > more than > > > > > > > 1000 website mysql root access. (there many others, but i > > > > > > > too > > > > > > > tired to > > > > > > > check it one by one ). > > > > > > > > This is very dangerous things which i'm big fans of > > > > > > > CakePHP. > > > > I > > > > > > > working > > > > > > > on 50K/day visitors website powered by CakePHP which i > > > > > > > don't > > > > > > > wanna > > > > > > > this thing happen to me. > > > > > > > > So, please tell me, which people in cakephp.org should be > > > > > > > contacted > > > > > > > because this issue. Opening ticket will leaked real > > > > > > > information for > > > > > > > the victim website. > > > > > > > > Thanks > > > > > > > > Yoodey > > > > > > > > -- > > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > > http://tv.cakephp.org > > > > > > > Check out the new CakePHP Questions site > > > > > > > http://ask.cakephp.organdhelpotherswith their CakePHP > > > > > > > related questions. > > > > > > > > To unsubscribe from this group, send email to > > > > > > > cake-php+unsubscr...@googlegroups.com For more options, > > > > visit > > > > > > > this group athttp://groups.google.com/group/cake-php > > > > > > > > -- > > > > > > > Our newest site for the community: CakePHP Video Tutorials > > > > > > >http://tv.cakephp.org > > > > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd > > > > > > > help others with their CakePHP related questions. > > > > > > > > To unsubscribe from this group, send email to > > > > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this > > > > > > > group athttp://groups.google.com/group/cake-php > > > > > -- > > > > Our newest site for the community: CakePHP Video Tutorials > > > >http://tv.cakephp.org > > > > Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp > > > > others with their CakePHP related questions. > > > > > To unsubscribe from this group, send email to > > > > cake-php+unsubscr...@googlegroups.com For more options, visit this group > > > > athttp://groups.google.com/group/cake-php
-- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
