On Tue, Oct 29, 2013 at 6:55 AM, Dan Andreescu dandreescu@wikimedia.org wrote:
I don't think the idea here was to ever make the stack traces *safe*, just to redact the most obvious things to reduce the risk if someone carelessly posts a stack trace publicly.
Personally, I think the "Java model" as exemplified in https://gerrit.wikimedia.org/r/#/c/92334/ PS3 goes too far in the other direction. In this case, an option to log unredacted traces that I could enable on my local test wiki would be useful.
I think Ori's original point stands though. Configuration could be used to redact fully / not redact at all for local debugging purposes. But a black list for what to redact is bad for all the reasons black lists are bad security in general.
I think the approach we are converging on is this:
- Always redact all argument values for user-facing backtraces - Never redact any argument values for wfDebugLog()'d backtraces - Redact arguments by replacing each argument with the name of its class (if object) or type (if primitive).
The redacted traces look like this:
#0 /vagrant/mediawiki/extensions/Vector/Vector.hooks.php(82): functionThatFails(OutputPage) #1 [internal function]: VectorHooks::beforePageDisplay(string, string) #2 /vagrant/mediawiki/includes/Hooks.php(199): call_user_func_array(string, array) #3 /vagrant/mediawiki/includes/GlobalFunctions.php(3877): Hooks::run(string, array) #4 /vagrant/mediawiki/includes/OutputPage.php(2075): wfRunHooks(string, array) #5 /vagrant/mediawiki/includes/Wiki.php(610): OutputPage->output() #6 /vagrant/mediawiki/includes/Wiki.php(467): MediaWiki->main() #7 /vagrant/mediawiki/index.php(49): MediaWiki->run() #8 {main}