[wp-trac] [WordPress Trac] #62100: Database password shows up in browser if apache mysql module not loaded
WordPress Trac
noreply at wordpress.org
Mon Sep 23 16:58:15 UTC 2024
#62100: Database password shows up in browser if apache mysql module not loaded
-------------------------------+------------------------------
Reporter: perryb | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version:
Severity: normal | Resolution:
Keywords: reporter-feedback | Focuses:
-------------------------------+------------------------------
Changes (by johnbillion):
* keywords: => reporter-feedback
* version: 6.6.2 =>
Comment:
Thanks for the report @perryb.
Regarding the parameters being shown in the fatal error stack trace,
there's nothing that WordPress can do about this except to implement the
`SensitiveParameter` attribute. This is being tracked in #57304.
That said, this error should be caught during the bootstrap process of
WordPress when it checks for the existence of the `mysqli_connect`
function here: https://github.com/WordPress/wordpress-
develop/blob/fd104aed1427167a8273bc6dc8dc43c1dd66ae02/src/wp-
includes/load.php#L174-L204 . I can see from the stack trace that your
site is running Query Monitor which likely means the `wp-content/db.php`
file is in place which will cause this check to get skipped. The reason
for this is in case a custom database driver is installed and WordPress
lets it take over.
If you delete the `wp-content/db.php` file or deactivate Query Monitor
then you should see the appropriate error message about the missing mysqli
extension. If that's the case then I think we can close this ticket as
there's nothing more that WordPress can do in this case.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62100#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list