On Tue, Oct 29, 2013 at 6:55 AM, Dan Andreescu <dandreescu(a)wikimedia.org> wrote:
I don't
think the idea here was to ever make the stack traces *safe*,
just to redact the most obvious things to reduce the risk if someone
carelessly posts a stack trace publicly.
Personally, I think the "Java model" as exemplified in
https://gerrit.wikimedia.org/r/#/c/92334/ PS3 goes too far in the
other direction. In this case, an option to log unredacted traces that
I could enable on my local test wiki would be useful.
I think Ori's original point stands though. Configuration could be used to
redact fully / not redact at all for local debugging purposes. But a black
list for what to redact is bad for all the reasons black lists are bad
security in general.
I think the approach we are converging on is this:
- Always redact all argument values for user-facing backtraces
- Never redact any argument values for wfDebugLog()'d backtraces
- Redact arguments by replacing each argument with the name of its
class (if object) or type (if primitive).
The redacted traces look like this:
#0 /vagrant/mediawiki/extensions/Vector/Vector.hooks.php(82):
functionThatFails(OutputPage)
#1 [internal function]: VectorHooks::beforePageDisplay(string, string)
#2 /vagrant/mediawiki/includes/Hooks.php(199):
call_user_func_array(string, array)
#3 /vagrant/mediawiki/includes/GlobalFunctions.php(3877):
Hooks::run(string, array)
#4 /vagrant/mediawiki/includes/OutputPage.php(2075): wfRunHooks(string, array)
#5 /vagrant/mediawiki/includes/Wiki.php(610): OutputPage->output()
#6 /vagrant/mediawiki/includes/Wiki.php(467): MediaWiki->main()
#7 /vagrant/mediawiki/index.php(49): MediaWiki->run()
#8 {main}