Bug #15263
closed
PHP error display formatting issues
100%
Description
There are multiple issues with the formatting of PHP errors in the GUI, including:
- Error/stack trace is printed twice
- Error message is plain text (not HTML) but is getting formatted like HTML
- Function arguments are printed in the stack trace which may contain user input
The first item is due to display_errors being on in php.ini but there is no need to display errors directly from PHP, they are printed in source:src/etc/inc/config.lib.inc#L1168 by pfSense_clear_globals() -- Changing display_errors to off is sufficient to address this.
The second point can be handled by wrapping the error output in pfSense_clear_globals() in source:src/etc/inc/config.lib.inc#L1168 (or close to there).
The second and third points combined have a potential to lead to an XSS if the user can influence the arguments displayed in the stack trace. So not only should we take more care when printing the errors (encode via htmlentities() or htmlspecialchars() in pfSense_clear_globals() in source:src/etc/inc/config.lib.inc#L1168) but on release versions we should suppress the function arguments in stack traces entirely (zend.exception_ignore_args=1 in php.ini)
I have a tested and working patch ready to commit.
Updated by Jim Pingle 3 months ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 9d78a172ec6c9b959ac1f5b321637e5009320658.
Updated by Jim Pingle 2 months ago
- Status changed from Feedback to In Progress
This change seems to have broken the "error locator" on diag_command.php. If you deliberately try to run broken code there it comes up blank.
Updated by Jim Pingle 2 months ago
- Status changed from In Progress to Feedback
Applied in changeset e7d7547c11291f04213eaf38eea12b11f434630f.
Updated by Jim Pingle 2 months ago
- Status changed from Feedback to Resolved
Everything appears to be working properly on the latest snapshot.