MantisBT - Xdebug
View Issue Details
0000644XdebugFeature/Change requestpublic2010-12-03 16:292015-02-22 14:30
0000644: Shared secret for profiler_enable_trigger
When the profiler_enable_trigger setting is enabled, any visitor to a server can initiate xdebug. Since this is rather heavyweight, it is a potential security risk.

It would be nice to have the option to specify a secret key, that the client has to provide to trigger the profiler.
No tags attached.
patch xdebug-2.0.5-trace_trigger_secret.patch (6,057) 2011-03-31 07:05
patch xdebug-2.0.5-trace_trigger_secret-v2.patch (6,035) 2011-03-31 08:03
patch svn-3438.patch (6,395) 2011-04-12 06:27
Issue History
2010-12-03 16:29troelsknNew Issue
2011-03-31 02:01ngaurNote Added: 0001708
2011-03-31 07:05ngaurFile Added: xdebug-2.0.5-trace_trigger_secret.patch
2011-03-31 07:13ngaurNote Added: 0001709
2011-03-31 07:14ngaurNote Added: 0001710
2011-03-31 08:03ngaurFile Added: xdebug-2.0.5-trace_trigger_secret-v2.patch
2011-03-31 08:08ngaurNote Added: 0001711
2011-04-12 06:27ngaurFile Added: svn-3438.patch
2011-04-12 06:29ngaurNote Added: 0001721
2014-02-27 20:05derickNote Added: 0002724
2014-02-27 20:05derickAssigned To => derick
2014-02-27 20:05derickStatusnew => feedback
2014-11-17 09:54derickNote Added: 0002913
2014-11-17 09:54derickStatusfeedback => closed
2014-11-17 09:54derickResolutionopen => fixed
2014-11-17 09:54derickFixed in Version => 2.3dev
2015-02-22 14:30derickFixed in Version2.3dev => 2.3.0

2011-03-31 02:01   
It's currently possible to turn XDebug off when not in use by changing the value of {trace,profile}_enable_trigger and doing an apache reload. So long as the module is still loaded, you won't need an apache restart.

It would be much better though to have a shared secret cookie value, making it reasonably safe to leave XDebug turned on all the time. So can I add my voice to this one.

I know in the company I work in, the list of people who could be given access to the shared secret value for producing trace files is not the same as the list of people who could be given root access to enable and disable XDebug in the ini file. In some cases we are working on client systems where noone in our company has root access, and to get xdebug's ini file changed requires going through a documented change management process, and considerable delay.

I've had a go at producing a patch, but my C skills are pretty rusty, so nothing working yet. I've done a bit of thinking about the spec in the process though.

I've so far been working on having extra configuration values ( {trace,profile}_enable_trigger_value ), but I do wonder if it would be better to change the semantics of {trace,profile}_enable_trigger so these are string values and for the sake of backward compatibility "0" is treated the same as no configured value or an empty string, meaning trigger is disabled, while any other value is treated as the required cookie value to activate the trigger.

Also, I've been considering that perhaps the ini file should contain only a file path, not the secret value, so that access to the secret can be more restricted.
2011-03-31 07:13   
I've attached a patch file for xdebug 2.0.5 which attempts to address this issue, along with adding trace triggers and access to trace_enable from the command line via the environment variable.

This works in some cases, but can produce a segfault. Currently I can run it ok within apache (as configured), but I get a segfault when running php from the command line.
2011-03-31 07:14   
Also, I'm unhappy with my current version in that the secret is stored in my xdebug.ini file, and viewable in a phpinfo() listing.
2011-03-31 08:08   
xdebug-2.0.5-trace_trigger_secret-v2.patch deals with the segfault issue. It was caused by some debug lines I'd left in.

This patch addresses this feature request (0000644), and also 0000517 and 0000675 in a single patch.
2011-04-12 06:29   
I've uploaded a new svn-3438.patch which can be applied to svn as it stands at present.

Lightly tested, but seems to work OK.

storage of the secret is still not ideal.
2014-02-27 20:05   
Hello Troels,

I am not sure if you're still interested, but it would be great if you could create a pull request against [^]

There is information at [^] to provide some help with GIT.

2014-11-17 09:54   
Fixed for 2.3dev.