On Tue, Oct 29, 2013 at 6:55 AM, Dan Andreescu <[email protected]> wrote:
>> I don't think the idea here was to ever make the stack traces *safe*,
>> just to redact the most obvious things to reduce the risk if someone
>> carelessly posts a stack trace publicly.
>>
>> Personally, I think the "Java model" as exemplified in
>> https://gerrit.wikimedia.org/r/#/c/92334/ PS3 goes too far in the
>> other direction. In this case, an option to log unredacted traces that
>> I could enable on my local test wiki would be useful.
>
>
> I think Ori's original point stands though. Configuration could be used to
> redact fully / not redact at all for local debugging purposes. But a black
> list for what to redact is bad for all the reasons black lists are bad
> security in general.
I think the approach we are converging on is this:
- Always redact all argument values for user-facing backtraces
- Never redact any argument values for wfDebugLog()'d backtraces
- Redact arguments by replacing each argument with the name of its
class (if object) or type (if primitive).
The redacted traces look like this:
#0 /vagrant/mediawiki/extensions/Vector/Vector.hooks.php(82):
functionThatFails(OutputPage)
#1 [internal function]: VectorHooks::beforePageDisplay(string, string)
#2 /vagrant/mediawiki/includes/Hooks.php(199):
call_user_func_array(string, array)
#3 /vagrant/mediawiki/includes/GlobalFunctions.php(3877):
Hooks::run(string, array)
#4 /vagrant/mediawiki/includes/OutputPage.php(2075): wfRunHooks(string, array)
#5 /vagrant/mediawiki/includes/Wiki.php(610): OutputPage->output()
#6 /vagrant/mediawiki/includes/Wiki.php(467): MediaWiki->main()
#7 /vagrant/mediawiki/index.php(49): MediaWiki->run()
#8 {main}
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
