MantisBT

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000644XdebugFeature/Change requestpublic2010-12-03 16:292015-02-22 14:30
Reportertroelskn 
Assigned Toderick 
PrioritynormalSeverityminorReproducibilityN/A
StatusclosedResolutionfixed 
PlatformallOSallOS Versionall
Product Version2.1.0 
Target VersionFixed in Version2.3.0 
Summary0000644: Shared secret for profiler_enable_trigger
DescriptionWhen the profiler_enable_trigger setting is enabled, any visitor to a server can initiate xdebug. Since this is rather heavyweight, it is a potential security risk.

It would be nice to have the option to specify a secret key, that the client has to provide to trigger the profiler.
TagsNo tags attached.
Operating System
PHP Version5.3.3
Attached Filespatch file icon xdebug-2.0.5-trace_trigger_secret.patch [^] (6,057 bytes) 2011-03-31 07:05 [Show Content]
patch file icon xdebug-2.0.5-trace_trigger_secret-v2.patch [^] (6,035 bytes) 2011-03-31 08:03 [Show Content]
patch file icon svn-3438.patch [^] (6,395 bytes) 2011-04-12 06:27 [Show Content]

- Relationships

-  Notes
(0001708)
ngaur (reporter)
2011-03-31 02:01

It's currently possible to turn XDebug off when not in use by changing the value of {trace,profile}_enable_trigger and doing an apache reload. So long as the module is still loaded, you won't need an apache restart.

It would be much better though to have a shared secret cookie value, making it reasonably safe to leave XDebug turned on all the time. So can I add my voice to this one.

I know in the company I work in, the list of people who could be given access to the shared secret value for producing trace files is not the same as the list of people who could be given root access to enable and disable XDebug in the ini file. In some cases we are working on client systems where noone in our company has root access, and to get xdebug's ini file changed requires going through a documented change management process, and considerable delay.

I've had a go at producing a patch, but my C skills are pretty rusty, so nothing working yet. I've done a bit of thinking about the spec in the process though.

I've so far been working on having extra configuration values ( {trace,profile}_enable_trigger_value ), but I do wonder if it would be better to change the semantics of {trace,profile}_enable_trigger so these are string values and for the sake of backward compatibility "0" is treated the same as no configured value or an empty string, meaning trigger is disabled, while any other value is treated as the required cookie value to activate the trigger.

Also, I've been considering that perhaps the ini file should contain only a file path, not the secret value, so that access to the secret can be more restricted.
(0001709)
ngaur (reporter)
2011-03-31 07:13

I've attached a patch file for xdebug 2.0.5 which attempts to address this issue, along with adding trace triggers and access to trace_enable from the command line via the environment variable.

This works in some cases, but can produce a segfault. Currently I can run it ok within apache (as configured), but I get a segfault when running php from the command line.
(0001710)
ngaur (reporter)
2011-03-31 07:14

Also, I'm unhappy with my current version in that the secret is stored in my xdebug.ini file, and viewable in a phpinfo() listing.
(0001711)
ngaur (reporter)
2011-03-31 08:08

xdebug-2.0.5-trace_trigger_secret-v2.patch deals with the segfault issue. It was caused by some debug lines I'd left in.

This patch addresses this feature request (0000644), and also 0000517 and 0000675 in a single patch.
(0001721)
ngaur (reporter)
2011-04-12 06:29

I've uploaded a new svn-3438.patch which can be applied to svn as it stands at present.

Lightly tested, but seems to work OK.

storage of the secret is still not ideal.
(0002724)
derick (administrator)
2014-02-27 20:05

Hello Troels,

I am not sure if you're still interested, but it would be great if you could create a pull request against https://github.com/xdebug/xdebug [^]

There is information at http://xdebug.org/contributing.php [^] to provide some help with GIT.

cheers,
Derick
(0002913)
derick (administrator)
2014-11-17 09:54

Fixed for 2.3dev.

- Issue History
Date Modified Username Field Change
2010-12-03 16:29 troelskn New Issue
2011-03-31 02:01 ngaur Note Added: 0001708
2011-03-31 07:05 ngaur File Added: xdebug-2.0.5-trace_trigger_secret.patch
2011-03-31 07:13 ngaur Note Added: 0001709
2011-03-31 07:14 ngaur Note Added: 0001710
2011-03-31 08:03 ngaur File Added: xdebug-2.0.5-trace_trigger_secret-v2.patch
2011-03-31 08:08 ngaur Note Added: 0001711
2011-04-12 06:27 ngaur File Added: svn-3438.patch
2011-04-12 06:29 ngaur Note Added: 0001721
2014-02-27 20:05 derick Note Added: 0002724
2014-02-27 20:05 derick Assigned To => derick
2014-02-27 20:05 derick Status new => feedback
2014-11-17 09:54 derick Note Added: 0002913
2014-11-17 09:54 derick Status feedback => closed
2014-11-17 09:54 derick Resolution open => fixed
2014-11-17 09:54 derick Fixed in Version => 2.3dev
2015-02-22 14:30 derick Fixed in Version 2.3dev => 2.3.0


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker