View Issue Details

IDProjectCategoryView StatusLast Update
0000644XdebugProfilingpublic2020-03-12 17:38
Reportertroelskn Assigned Toderick  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
PlatformallOSallOS Versionall
Product Version2.1.0 
Fixed in Version2.3.0 
Summary0000644: Shared secret for profiler_enable_trigger
Description

When the profiler_enable_trigger setting is enabled, any visitor to a server can initiate xdebug. Since this is rather heavyweight, it is a potential security risk.

It would be nice to have the option to specify a secret key, that the client has to provide to trigger the profiler.

TagsNo tags attached.
Attached Files
xdebug-2.0.5-trace_trigger_secret.patch (6,057 bytes)   
diff -ru xdebug-2.0.5/php_xdebug.h xdebug-2.0.5-modified/php_xdebug.h
--- xdebug-2.0.5/php_xdebug.h	1970-01-01 20:13:08.000000000 +1100
+++ xdebug-2.0.5-modified/php_xdebug.h	2011-03-30 16:05:11.442678999 +1100
@@ -141,6 +141,8 @@
 	FILE         *trace_file;
 	zend_bool     do_trace;
 	zend_bool     auto_trace;
+	zend_bool     trace_enable_trigger;
+	char         *trace_enable_trigger_value;
 	char         *trace_output_dir;
 	char         *trace_output_name;
 	long          trace_options;
@@ -199,6 +201,7 @@
 	char         *profiler_output_dir;
 	char         *profiler_output_name; /* "pid" or "crc32" */
 	zend_bool     profiler_enable_trigger;
+	char         *profiler_enable_trigger_value;
 	zend_bool     profiler_append;
 
 	/* profiler globals */
diff -ru xdebug-2.0.5/xdebug.c xdebug-2.0.5-modified/xdebug.c
--- xdebug-2.0.5/xdebug.c	1970-01-01 20:13:08.000000000 +1100
+++ xdebug-2.0.5-modified/xdebug.c	2011-03-31 17:01:14.885110998 +1100
@@ -253,6 +253,8 @@
 PHP_INI_BEGIN()
 	/* Debugger settings */
 	STD_PHP_INI_BOOLEAN("xdebug.auto_trace",      "0",                  PHP_INI_ALL,    OnUpdateBool,   auto_trace,        zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_BOOLEAN("xdebug.trace_enable_trigger", "0",             PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   trace_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.trace_enable_trigger_value", "",          PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   trace_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_dir",  "/tmp",               PHP_INI_ALL,    OnUpdateString, trace_output_dir,  zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_name", "trace.%c",           PHP_INI_ALL,    OnUpdateString, trace_output_name, zend_xdebug_globals, xdebug_globals)
 #if ZEND_EXTENSION_API_NO < 90000000
@@ -300,11 +302,12 @@
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_dir",       "/tmp",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_dir,     zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_name",      "cachegrind.out.%p",  PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_name,    zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_enable_trigger", "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.profiler_enable_trigger_value", "",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   profiler_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_append",         "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_append,         zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_aggregate",      "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_aggregate,      zend_xdebug_globals, xdebug_globals)
 
 	/* Remote debugger settings */
-	STD_PHP_INI_BOOLEAN("xdebug.remote_enable",   "0",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   remote_enable,     zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_BOOLEAN("xdebug.remote_enable",   "0",                  PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   remote_enable,     zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.remote_handler",    "dbgp",               PHP_INI_ALL,    OnUpdateString, remote_handler,    zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.remote_host",       "localhost",          PHP_INI_ALL,    OnUpdateString, remote_host,       zend_xdebug_globals, xdebug_globals)
 	PHP_INI_ENTRY("xdebug.remote_mode",           "req",                PHP_INI_ALL,    OnUpdateDebugMode)
@@ -437,6 +440,9 @@
 		if (strcasecmp(envvar, "profiler_enable_trigger") == 0) {
 			name = "xdebug.profiler_enable_trigger";
 		} else
+		if (strcasecmp(envvar, "trace_enable") == 0) {
+			name = "xdebug.trace_enable";
+		} else
 		if (strcasecmp(envvar, "remote_log") == 0) {
 			name = "xdebug.remote_log";
 		}
@@ -785,11 +791,40 @@
 	XG(remote_enabled) = 0;
 	XG(profiler_enabled) = 0;
 	XG(breakpoints_allowed) = 1;
-	if (XG(auto_trace) && XG(trace_output_dir) && strlen(XG(trace_output_dir))) {
+	if (
+		(
+			XG(auto_trace)
+		 	||
+			(
+				/* Check for special GET/POST parameter to start the trace */
+				XG(trace_enable_trigger) &&
+				(
+					(
+						PG(http_globals)[TRACK_VARS_GET] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_GET]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS 
+					) || (
+						PG(http_globals)[TRACK_VARS_POST] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_POST]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS
+					) || (
+						PG(http_globals)[TRACK_VARS_COOKIE] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS
+					)
+				) && (
+					(strlen(XG(trace_enable_trigger_value)) == 0) ||
+					(strcmp(XG(trace_enable_trigger_value), Z_STRVAL_PP(dummy)) == 0)
+				)
+
+			)
+		 ) && XG(trace_output_dir) && strlen(XG(trace_output_dir))) {
+
 		/* In case we do an auto-trace we are not interested in the return
 		 * value, but we still have to free it. */
 		xdfree(xdebug_start_trace(NULL, XG(trace_options) TSRMLS_CC));
 	}
+	php_syslog(LOG_NOTICE, "trace_enable_trigger_value: '%s'", XG(trace_enable_trigger_value));
+	php_syslog(LOG_NOTICE, "dummy: '%s'",	Z_STRVAL_PP(dummy));
+
+
 
 	/* Initialize some debugger context properties */
 	XG(context).program_name   = NULL;
@@ -1494,6 +1529,9 @@
 							PG(http_globals)[TRACK_VARS_COOKIE] && 
 							zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, "XDEBUG_PROFILE", sizeof("XDEBUG_PROFILE"), (void **) &dummy) == SUCCESS
 						)
+					) && (
+						(strlen(XG(profiler_enable_trigger_value)) == 0) ||
+						(strcmp(XG(profiler_enable_trigger_value), Z_STRVAL_PP(dummy)) == 0)
 					)
 				)
 			)
xdebug-2.0.5-trace_trigger_secret-v2.patch (6,035 bytes)   
diff -ru xdebug-2.0.5/php_xdebug.h xdebug-2.0.5-modified/php_xdebug.h
--- xdebug-2.0.5/php_xdebug.h	1970-01-01 20:13:08.000000000 +1100
+++ xdebug-2.0.5-modified/php_xdebug.h	2011-03-30 16:05:11.442678999 +1100
@@ -141,6 +141,8 @@
 	FILE         *trace_file;
 	zend_bool     do_trace;
 	zend_bool     auto_trace;
+	zend_bool     trace_enable_trigger;
+	char         *trace_enable_trigger_value;
 	char         *trace_output_dir;
 	char         *trace_output_name;
 	long          trace_options;
@@ -199,6 +201,7 @@
 	char         *profiler_output_dir;
 	char         *profiler_output_name; /* "pid" or "crc32" */
 	zend_bool     profiler_enable_trigger;
+	char         *profiler_enable_trigger_value;
 	zend_bool     profiler_append;
 
 	/* profiler globals */
diff -ru xdebug-2.0.5/xdebug.c xdebug-2.0.5-modified/xdebug.c
--- xdebug-2.0.5/xdebug.c	1970-01-01 20:13:08.000000000 +1100
+++ xdebug-2.0.5-modified/xdebug.c	2011-03-31 18:00:57.665110993 +1100
@@ -253,6 +253,8 @@
 PHP_INI_BEGIN()
 	/* Debugger settings */
 	STD_PHP_INI_BOOLEAN("xdebug.auto_trace",      "0",                  PHP_INI_ALL,    OnUpdateBool,   auto_trace,        zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_BOOLEAN("xdebug.trace_enable_trigger", "0",             PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   trace_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.trace_enable_trigger_value", "",          PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   trace_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_dir",  "/tmp",               PHP_INI_ALL,    OnUpdateString, trace_output_dir,  zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_name", "trace.%c",           PHP_INI_ALL,    OnUpdateString, trace_output_name, zend_xdebug_globals, xdebug_globals)
 #if ZEND_EXTENSION_API_NO < 90000000
@@ -300,11 +302,12 @@
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_dir",       "/tmp",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_dir,     zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_name",      "cachegrind.out.%p",  PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_name,    zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_enable_trigger", "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.profiler_enable_trigger_value", "",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   profiler_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_append",         "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_append,         zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_aggregate",      "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_aggregate,      zend_xdebug_globals, xdebug_globals)
 
 	/* Remote debugger settings */
-	STD_PHP_INI_BOOLEAN("xdebug.remote_enable",   "0",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   remote_enable,     zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_BOOLEAN("xdebug.remote_enable",   "0",                  PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   remote_enable,     zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.remote_handler",    "dbgp",               PHP_INI_ALL,    OnUpdateString, remote_handler,    zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.remote_host",       "localhost",          PHP_INI_ALL,    OnUpdateString, remote_host,       zend_xdebug_globals, xdebug_globals)
 	PHP_INI_ENTRY("xdebug.remote_mode",           "req",                PHP_INI_ALL,    OnUpdateDebugMode)
@@ -437,6 +440,9 @@
 		if (strcasecmp(envvar, "profiler_enable_trigger") == 0) {
 			name = "xdebug.profiler_enable_trigger";
 		} else
+		if (strcasecmp(envvar, "auto_trace") == 0) {
+			name = "xdebug.auto_trace";
+		} else
 		if (strcasecmp(envvar, "remote_log") == 0) {
 			name = "xdebug.remote_log";
 		}
@@ -785,12 +791,40 @@
 	XG(remote_enabled) = 0;
 	XG(profiler_enabled) = 0;
 	XG(breakpoints_allowed) = 1;
-	if (XG(auto_trace) && XG(trace_output_dir) && strlen(XG(trace_output_dir))) {
+	if (
+		(
+			XG(auto_trace)
+		 	||
+			(
+				/* Check for special GET/POST parameter to start the trace */
+				XG(trace_enable_trigger) &&
+				(
+					(
+						PG(http_globals)[TRACK_VARS_GET] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_GET]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS 
+					) || (
+						PG(http_globals)[TRACK_VARS_POST] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_POST]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS
+					) || (
+						PG(http_globals)[TRACK_VARS_COOKIE] &&
+						zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, "XDEBUG_TRACE", sizeof("XDEBUG_TRACE"), (void **) &dummy) == SUCCESS
+					)
+				) && (
+					(XG(trace_enable_trigger_value) == 0) ||
+					(strlen(XG(trace_enable_trigger_value)) == 0) ||
+					(strcmp(XG(trace_enable_trigger_value), Z_STRVAL_PP(dummy)) == 0)
+				)
+
+			)
+		 ) && XG(trace_output_dir) && strlen(XG(trace_output_dir))) {
+
 		/* In case we do an auto-trace we are not interested in the return
 		 * value, but we still have to free it. */
 		xdfree(xdebug_start_trace(NULL, XG(trace_options) TSRMLS_CC));
 	}
 
+
+
 	/* Initialize some debugger context properties */
 	XG(context).program_name   = NULL;
 	XG(context).list.last_file = NULL;
@@ -1494,6 +1528,10 @@
 							PG(http_globals)[TRACK_VARS_COOKIE] && 
 							zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, "XDEBUG_PROFILE", sizeof("XDEBUG_PROFILE"), (void **) &dummy) == SUCCESS
 						)
+					) && (
+						(XG(profiler_enable_trigger_value) == 0) ||
+						(strlen(XG(profiler_enable_trigger_value)) == 0) ||
+						(strcmp(XG(profiler_enable_trigger_value), Z_STRVAL_PP(dummy)) == 0)
 					)
 				)
 			)

svn-3438.patch (6,395 bytes)   
Index: xdebug.c
===================================================================
--- xdebug.c	(revision 3438)
+++ xdebug.c	(working copy)
@@ -85,7 +85,7 @@
 
 int (*xdebug_orig_header_handler)(sapi_header_struct *h XG_SAPI_HEADER_OP_DC, sapi_headers_struct *s TSRMLS_DC);
 
-static int xdebug_trigger_enabled(int setting, char *var_name);
+static int xdebug_trigger_enabled(int setting, char *var_name, char *var_value);
 
 zend_function_entry xdebug_functions[] = {
 	PHP_FE(xdebug_get_stack_depth,       NULL)
@@ -239,6 +239,7 @@
 	/* Debugger settings */
 	STD_PHP_INI_BOOLEAN("xdebug.auto_trace",      "0",                  PHP_INI_ALL,    OnUpdateBool,   auto_trace,        zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.trace_enable_trigger", "0",             PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   trace_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.trace_enable_trigger_value", "",          PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   trace_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_dir",  XDEBUG_TEMP_DIR,      PHP_INI_ALL,    OnUpdateString, trace_output_dir,  zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_output_name", "trace.%c",           PHP_INI_ALL,    OnUpdateString, trace_output_name, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.trace_format",      "0",                  PHP_INI_ALL,    OnUpdateLong,   trace_format,      zend_xdebug_globals, xdebug_globals)
@@ -276,7 +277,8 @@
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_enable",         "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_enable,         zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_dir",       XDEBUG_TEMP_DIR,      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_dir,     zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_ENTRY("xdebug.profiler_output_name",      "cachegrind.out.%p",  PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString, profiler_output_name,    zend_xdebug_globals, xdebug_globals)
-	STD_PHP_INI_BOOLEAN("xdebug.profiler_enable_trigger", "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_BOOLEAN("xdebug.profiler_enable_trigger", "1",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_enable_trigger, zend_xdebug_globals, xdebug_globals)
+	STD_PHP_INI_ENTRY("xdebug.profiler_enable_trigger_value", "",   PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateString,   profiler_enable_trigger_value, zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_append",         "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_append,         zend_xdebug_globals, xdebug_globals)
 	STD_PHP_INI_BOOLEAN("xdebug.profiler_aggregate",      "0",      PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool,   profiler_aggregate,      zend_xdebug_globals, xdebug_globals)
 
@@ -428,6 +430,9 @@
 		if (strcasecmp(envvar, "profiler_enable_trigger") == 0) {
 			name = "xdebug.profiler_enable_trigger";
 		} else
+		if (strcasecmp(envvar, "trace_enable") == 0) {
+			name = "xdebug.trace_enable";
+		} else
 		if (strcasecmp(envvar, "remote_log") == 0) {
 			name = "xdebug.remote_log";
 		} else
@@ -813,7 +818,7 @@
 	XG(profiler_enabled) = 0;
 	XG(breakpoints_allowed) = 1;
 	if (
-		(XG(auto_trace) || xdebug_trigger_enabled(XG(trace_enable_trigger), "XDEBUG_TRACE"))
+		(XG(auto_trace) || xdebug_trigger_enabled(XG(trace_enable_trigger), "XDEBUG_TRACE", XG(trace_enable_trigger_value)))
 		&& XG(trace_output_dir) && strlen(XG(trace_output_dir))
 	) {
 		/* In case we do an auto-trace we are not interested in the return
@@ -953,9 +958,9 @@
 	DISPLAY_INI_ENTRIES();
 }
 
-static int xdebug_trigger_enabled(int setting, char *var_name)
+static int xdebug_trigger_enabled(int setting, char *var_name, char *var_value)
 {
-	zval **dummy;
+	zval **trigger_val;
 
 	if (!setting) {
 		return 0;
@@ -963,14 +968,19 @@
 
 	if (
 		(
-			PG(http_globals)[TRACK_VARS_GET] &&
-			zend_hash_find(PG(http_globals)[TRACK_VARS_GET]->value.ht, var_name, strlen(var_name) + 1, (void **) &dummy) == SUCCESS
-		) || (
-			PG(http_globals)[TRACK_VARS_POST] &&
-			zend_hash_find(PG(http_globals)[TRACK_VARS_POST]->value.ht, var_name, strlen(var_name) + 1, (void **) &dummy) == SUCCESS
-		) || (
-			PG(http_globals)[TRACK_VARS_COOKIE] &&
-			zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, var_name, strlen(var_name) + 1, (void **) &dummy) == SUCCESS
+			(
+				PG(http_globals)[TRACK_VARS_GET] &&
+				zend_hash_find(PG(http_globals)[TRACK_VARS_GET]->value.ht, var_name, strlen(var_name) + 1, (void **) &trigger_val) == SUCCESS
+			) || (
+				PG(http_globals)[TRACK_VARS_POST] &&
+				zend_hash_find(PG(http_globals)[TRACK_VARS_POST]->value.ht, var_name, strlen(var_name) + 1, (void **) &trigger_val) == SUCCESS
+			) || (
+				PG(http_globals)[TRACK_VARS_COOKIE] &&
+				zend_hash_find(PG(http_globals)[TRACK_VARS_COOKIE]->value.ht, var_name, strlen(var_name) + 1, (void **) &trigger_val) == SUCCESS
+			)
+		) && (
+			(var_value == 0) ||
+			(strcmp(var_value, Z_STRVAL_PP(trigger_val)) == 0)
 		)
 	) {
 		return 1;
@@ -1236,7 +1246,7 @@
 		/* Check for special GET/POST parameter to start profiling */
 		if (
 			!XG(profiler_enabled) &&
-			(XG(profiler_enable) || xdebug_trigger_enabled(XG(profiler_enable_trigger), "XDEBUG_PROFILE"))
+			(XG(profiler_enable) || xdebug_trigger_enabled(XG(profiler_enable_trigger), "XDEBUG_PROFILE", XG(profiler_enable_trigger_value)))
 		) {
 			if (xdebug_profiler_init(op_array->filename TSRMLS_CC) == SUCCESS) {
 				XG(profiler_enabled) = 1;
Index: php_xdebug.h
===================================================================
--- php_xdebug.h	(revision 3438)
+++ php_xdebug.h	(working copy)
@@ -181,6 +181,7 @@
 	zend_bool     do_trace;
 	zend_bool     auto_trace;
 	zend_bool     trace_enable_trigger;
+	char         *trace_enable_trigger_value;
 	char         *trace_output_dir;
 	char         *trace_output_name;
 	long          trace_options;
@@ -255,6 +256,7 @@
 	char         *profiler_output_dir;
 	char         *profiler_output_name; /* "pid" or "crc32" */
 	zend_bool     profiler_enable_trigger;
+	char         *profiler_enable_trigger_value;
 	zend_bool     profiler_append;
 
 	/* profiler globals */
svn-3438.patch (6,395 bytes)   
Operating System
PHP Version5.3.3

Activities

ngaur

2011-03-31 01:01

reporter   ~0001708

It's currently possible to turn XDebug off when not in use by changing the value of {trace,profile}_enable_trigger and doing an apache reload. So long as the module is still loaded, you won't need an apache restart.

It would be much better though to have a shared secret cookie value, making it reasonably safe to leave XDebug turned on all the time. So can I add my voice to this one.

I know in the company I work in, the list of people who could be given access to the shared secret value for producing trace files is not the same as the list of people who could be given root access to enable and disable XDebug in the ini file. In some cases we are working on client systems where noone in our company has root access, and to get xdebug's ini file changed requires going through a documented change management process, and considerable delay.

I've had a go at producing a patch, but my C skills are pretty rusty, so nothing working yet. I've done a bit of thinking about the spec in the process though.

I've so far been working on having extra configuration values ( {trace,profile}_enable_trigger_value ), but I do wonder if it would be better to change the semantics of {trace,profile}_enable_trigger so these are string values and for the sake of backward compatibility "0" is treated the same as no configured value or an empty string, meaning trigger is disabled, while any other value is treated as the required cookie value to activate the trigger.

Also, I've been considering that perhaps the ini file should contain only a file path, not the secret value, so that access to the secret can be more restricted.

ngaur

2011-03-31 06:13

reporter   ~0001709

I've attached a patch file for xdebug 2.0.5 which attempts to address this issue, along with adding trace triggers and access to trace_enable from the command line via the environment variable.

This works in some cases, but can produce a segfault. Currently I can run it ok within apache (as configured), but I get a segfault when running php from the command line.

ngaur

2011-03-31 06:14

reporter   ~0001710

Also, I'm unhappy with my current version in that the secret is stored in my xdebug.ini file, and viewable in a phpinfo() listing.

ngaur

2011-03-31 07:08

reporter   ~0001711

xdebug-2.0.5-trace_trigger_secret-v2.patch deals with the segfault issue. It was caused by some debug lines I'd left in.

This patch addresses this feature request (0000644), and also 0000517 and 0000675 in a single patch.

ngaur

2011-04-12 05:29

reporter   ~0001721

I've uploaded a new svn-3438.patch which can be applied to svn as it stands at present.

Lightly tested, but seems to work OK.

storage of the secret is still not ideal.

derick

2014-02-27 20:05

administrator   ~0002724

Hello Troels,

I am not sure if you're still interested, but it would be great if you could create a pull request against https://github.com/xdebug/xdebug

There is information at http://xdebug.org/contributing.php to provide some help with GIT.

cheers,
Derick

derick

2014-11-17 09:54

administrator   ~0002913

Fixed for 2.3dev.

Issue History

Date Modified Username Field Change
2010-12-03 16:29 troelskn New Issue
2011-03-31 01:01 ngaur Note Added: 0001708
2011-03-31 06:05 ngaur File Added: xdebug-2.0.5-trace_trigger_secret.patch
2011-03-31 06:13 ngaur Note Added: 0001709
2011-03-31 06:14 ngaur Note Added: 0001710
2011-03-31 07:03 ngaur File Added: xdebug-2.0.5-trace_trigger_secret-v2.patch
2011-03-31 07:08 ngaur Note Added: 0001711
2011-04-12 05:27 ngaur File Added: svn-3438.patch
2011-04-12 05:29 ngaur Note Added: 0001721
2014-02-27 20:05 derick Note Added: 0002724
2014-02-27 20:05 derick Assigned To => derick
2014-02-27 20:05 derick Status new => feedback
2014-11-17 09:54 derick Note Added: 0002913
2014-11-17 09:54 derick Status feedback => closed
2014-11-17 09:54 derick Resolution open => fixed
2014-11-17 09:54 derick Fixed in Version => 2.3dev
2015-02-22 14:30 derick Fixed in Version 2.3dev => 2.3.0
2020-03-12 16:55 derick Severity minor => feature
2020-03-12 17:38 derick Category Feature/Change request => Profiling