[SECURITY] Prevented PhabricatorSetupIssueView from exposing sensitive config…
3b1a1ae7e309
Actions

Description

[SECURITY] Prevented PhabricatorSetupIssueView from exposing sensitive config options.

Summary:
Currently PhabricatorSetupIssueView will show the current values of
configuration options regardless of whether or not they are defined
as hidden options. This means that if the MySQL server stops, Phabricator
will present the MySQL connection credentials to anyone who can access
the Phabricator page.

Test Plan:
Stop the MySQL server for a Phabricator instance. It should display 'hidden'
instead of the MySQL password.

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D5596

Details

Provenance

James Rhodes	Authored on Apr 6 2013, 12:27 AM
epriestley	Committed on Apr 6 2013, 12:39 AM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rPbbfc8a093715: Fix typo in comment

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

applications/

config/

response/

PhabricatorConfigResponse.php

view/

PhabricatorSetupIssueView.php

rP3b1a1ae7e309

View Options

src/applications/config/response/PhabricatorConfigResponse.php