?
avatar franzpeter
franzpeter
13 Jul 2015

I do not know if it is a security issue. But if a component partly failed on installation in case of some additional database tables and you created a link in a Joomla menu for that component, you get a website error, that something was not found (error page). But is it necessary to show the full query, which produced the error on that page, even if debug is set to off?

Expected result

error page without full query

Actual result

error page with full query result.

System information (as much as possible)

Joomla 3.4.x

Additional comments

avatar franzpeter franzpeter - open - 13 Jul 2015
avatar franzpeter
franzpeter - comment - 13 Jul 2015

I have seen that it occurs with every db query, not only if a component failed to install completely. if a $db->execute failed you will see the full query which failed on the error page.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar roland-d
roland-d - comment - 13 Jul 2015
avatar Bakual
Bakual - comment - 13 Jul 2015

There is actually already a try/catch block. But it is around the full query building (https://github.com/joomla/joomla-cms/blob/staging/components/com_content/models/article.php#L84-L242).
And it just shows the error message from the exception. So it doesn't help much.

I think better would be to just try/catch https://github.com/joomla/joomla-cms/blob/staging/components/com_content/models/article.php#L159 and raise a generic error message there.

avatar franzpeter
franzpeter - comment - 13 Jul 2015

Bakual, yes I think so. It should only show the query, which provokes an error if Joomla is set to report errors. Else it should tell that there is an error but not the db query to any user entering the page if error reporting is off.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar franzpeter
franzpeter - comment - 13 Jul 2015

The prefix for a db table for example is an additional security part. Else I could continue to use jos_. But just my opinion.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar Bakual
Bakual - comment - 13 Jul 2015

Actually, it should never show the query.
You can always set up the logger to log the database errors to a log file.

The prefix for a db table for example is an additional security part. Else I could continue to use jos_. But just my opinion.

It's both, a security part but also a feature which allows to have multiple Joomla installations within the same database.

avatar alikon alikon - reference | d533b96 - 15 Jul 15
avatar alikon
alikon - comment - 15 Jul 2015

@roland-d
i think should be try/cathed
@Bakual
i was playing around alikon@d533b96

may i have a some feedback....

avatar Devportobello
Devportobello - comment - 15 Jul 2015

Just want to remember some arg from this post: #6591

avatar zero-24 zero-24 - change - 8 May 2016
Status New Needs Review
avatar roland-d roland-d - change - 8 May 2016
Status Needs Review Information Required
avatar roland-d
roland-d - comment - 8 May 2016

@alikon will propose a pull request and we can then test his solution.


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar brianteeman
brianteeman - comment - 7 Jun 2016

@alikon @rolandd was a PR created?


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar roland-d
roland-d - comment - 7 Jun 2016

I haven't seen or heard anything. Any update @alikon ?

avatar alikon
alikon - comment - 8 Jun 2016

Sorry guys, completely forgotten, hope can i have a look on weekend...
On 7 Jun 2016 9:38 pm, "RolandD" notifications@github.com wrote:

I haven't seen or heard anything. Any update @alikon
https://github.com/alikon ?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#7428 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AALFsWjcAKQLaJLRnE1v7nvI8--rpcJeks5qJci_gaJpZM4FXYir
.

avatar brianteeman
brianteeman - comment - 8 Jun 2016

Thanks

On 8 June 2016 at 07:42, Nicola Galgano notifications@github.com wrote:

Sorry guys, completely forgotten, hope can i have a look on weekend...
On 7 Jun 2016 9:38 pm, "RolandD" notifications@github.com wrote:

I haven't seen or heard anything. Any update @alikon
https://github.com/alikon ?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#7428 (comment)
,
or mute the thread
<
https://github.com/notifications/unsubscribe/AALFsWjcAKQLaJLRnE1v7nvI8--rpcJeks5qJci_gaJpZM4FXYir

.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#7428 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABPH8dQfNDlNsp-5T3JEKMhgCeezBaAtks5qJmRsgaJpZM4FXYir
.

Brian Teeman
Co-founder Joomla! and OpenSourceMatters Inc.
http://brian.teeman.net/

avatar alikon
alikon - comment - 9 Jun 2016

some works was already done see #8130
not sure if we want to not display the query (for example if error_reporting was setted to none)
any comments?

avatar mbabker
mbabker - comment - 9 Jun 2016

My suggestion is that now that the database drivers throw a specific JDatabaseExceptionExecuting object on a query failure, the query should be removed from the Exception message and attached to the Exception object as a new property (a downstream catcher of the Exception could access the query via $exception->getQuery();). It removes the need to reverse parse the table prefix out of the query, makes it so that the query is NOT displayed as part of the error message, but continues to make that data available in all required contexts.

There's really no reason the query needs to be attached to the main Exception object's error message.

avatar alikon
alikon - comment - 23 Jun 2016
avatar mbabker
mbabker - comment - 23 Jun 2016

getErrorMessage() should be deprecated and removed. There's no reason to reverse parse the table prefix out of the query if it's attached to the Exception object as a different parameter and not the main message.

avatar alikon alikon - reference | 17a6871 - 28 Jun 16
avatar alikon
alikon - comment - 28 Jun 2016

do you mean something like this #10949 ?

avatar brianteeman
brianteeman - comment - 28 Jun 2016

As we now have a PR I am closing this here so conversation is in only one place


This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7428.

avatar brianteeman brianteeman - change - 28 Jun 2016
Status Information Required Closed
Closed_Date 0000-00-00 00:00:00 2016-06-28 09:26:48
Closed_By brianteeman
avatar brianteeman brianteeman - close - 28 Jun 2016

Add a Comment

Login with GitHub to post a comment