Hi, in the doc we say: $cfg['ShowServerInfo'] boolean Defines whether to display detailed server information on main page. (...)
Currently, this parameter, when false, only hides the protocol version, the logged-in user and the server's full name (next to the verbose name).
It's true that this parameter is poorly named (it should have been ShowDetailedMySQLInfo). We got a request to remove all web server info and MySQL server info from the main page when this parameter is set to false. I think this would be appropriate.
Comments?
Marc Delisle wrote:
I can imagine that some people would rather obscure these facts from view. So yes, lets make ShowServerInfo realy mean all that server info.
In that same reasoning maybe we should also offer an option to not display the phpMyAdmin version.
One tricky sidenote: The export function also output's version information...
Herman van Rink a écrit :
Hmmm, well ... it is present also in Documentation.html and translators.html. What do you have in mind with this, obscuring for security purposes?
One tricky sidenote: The export function also output's version information...
Good point, so ShowServerInfo should have an impact also for export.
Hi
Dne Tue, 08 Dec 2009 14:16:21 -0500 Marc Delisle marc@infomarc.info napsal(a):
Makes sense to me.
It does not make sense, you need to include the version there so that people know for which version the documentation is.
Herman van Rink a écrit :
I'm working on it.
In that same reasoning maybe we should also offer an option to not display the phpMyAdmin version.
I would wait about this one.
One tricky sidenote: The export function also output's version information...
Since there are many ways to get MySQL server information, I think the goal here is just to "fix" the ShowServerInfo parameter.
Marc Delisle wrote:
The Drupal community has had a lengthy discussion about this: http://drupal.org/node/79018 A good point in made about not relying on security by obscurity.
In a similar fashion we could include a small note in the documentation about which files to delete/hide/make unreadable to keep this info from just every web-client.
Herman van Rink a écrit :
Can we discuss this during the team meeting at FOSDEM? :)
Am 11.12.2009 14:29, schrieb Herman van Rink:
no one relies on security by obscurity - at least not here in the pma devel team, IMHO
it is just an information disclosure we (hm, at least i am listening) are talking here about
let the user choose whether to display the information or not - even if i think it makes not much sense
at least most of the MySQL Server related information can be gathered by simple SQL statements
Sebastian Mendel a écrit :
Sebastian, who do you mean by "the user"? The person who runs phpMyAdmin or the one who has access to configure it?
at least most of the MySQL Server related information can be gathered by simple SQL statements
-
Herman van Rink -
Marc Delisle -
Michal Čihař -
Sebastian Mendel