Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Huge security risk on connection timeout #483

Open
dhofstetter opened this issue Nov 1, 2014 · 1 comment
Open

Huge security risk on connection timeout #483

dhofstetter opened this issue Nov 1, 2014 · 1 comment

Comments

@dhofstetter
Copy link

When we have the case that for some circumstances the database is not available and so the connection is not available then there is the PDOException, which is quite ok so far. But not handling this exception somewhere and fire a new one is quite bad. The reason is that the current way makes your username and password available to everyone who can at least see the php error output if enabled.

As you can see here the constructor arguments to OAuth2/Storage/Pdo are shown as string. It would be better not to rely on disabled php error outputs, as this might not be the case everywhere, and a database cannot be available everytime.
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2002] Connection refused' in /home/.sites/65/site9693764/web/portal/vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/Pdo.php:53 Stack trace: #0 /home/.sites/65/site9693764/web/portal/vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/Pdo.php(53): PDO->__construct('mysql:host=127....', 'dev', 'dev', Array) #1 /home/.sites/65/site9693764/web/portal/vendor/zfcampus/zf-oauth2/src/Adapter/PdoAdapter.php(89): OAuth2\Storage\Pdo->__construct(Array, Array) #2 /home/.sites/65/site9693764/web/portal/vendor/zfcampus/zf-oauth2/src/Factory/PdoAdapterFactory.php(45): ZF\OAuth2\Adapter\PdoAdapter->__construct(Array, Array) #3 [internal function]: ZF\OAuth2\Factory\PdoAdapterFactory->createService(Object(Zend\ServiceManager\ServiceManager), 'zfoauth2adapter...', 'ZF\OAuth2\Adapt...') #4 /home/.sites/65/site9693764/web/portal/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php(902): call_user_func(Array, Object(Zend\ServiceM in /home/.sites/65/site9693764/web/portal/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php on line 909

Don't know if this is an issue of interest but I think so
@Gargaj
Copy link
Contributor

Gargaj commented Nov 22, 2014

This is not an issue of this project but an issue of PDO: http://security.stackexchange.com/questions/15452/should-passwords-be-revealed-in-error-message

You can avoid this by wrapping the PDO construction in a try/catch.

I agree, however, that it should possibly be included in the example files as such.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Gargaj @dhofstetter