[Phpmyadmin-devel] prevent users from seeing status and variables, why?
Hi, what is the reason for setting this default values to false? $cfg['ShowMysqlInfo'] = FALSE; // whether to display the "MySQL runtime $cfg['ShowMysqlVars'] = FALSE; // information", "MySQL system variables", "PHP $cfg['ShowPhpInfo'] = FALSE; // information" and "change password" links for $cfg['ShowChgPassword'] = FALSE; // simple users or not -- Sebastian Mendel www.sebastianmendel.de www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
Sebastian Mendel a écrit :
Hi,
what is the reason for setting this default values to false?
$cfg['ShowMysqlInfo'] = FALSE; // whether to display the "MySQL runtime $cfg['ShowMysqlVars'] = FALSE; // information", "MySQL system variables", "PHP $cfg['ShowPhpInfo'] = FALSE; // information" and "change password" links for $cfg['ShowChgPassword'] = FALSE; // simple users or not
About the SHOW PHP info, there was a time when the cookie containing the password was visible there in plain text, it might explain the reason for this default. For mysqlinfo and mysqlvars, I think it was determined that this is information useful for a system admin. For the password change, I think that most of users, if they have the possibility of changing their password, will do it, then will complain in phpMyAdmin support forums because all their other MySQL apps are now broken. Marc
Hi On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
About the SHOW PHP info, there was a time when the cookie containing the password was visible there in plain text, it might explain the reason for this default.
There is also reason that it can uncover much information about server.
For mysqlinfo and mysqlvars, I think it was determined that this is information useful for a system admin.
Both are also useful for user. We show eg. collations and storage engines in all cases, so these two IMHO sould be same case and I do not see need for configuration option.
For the password change, I think that most of users, if they have the possibility of changing their password, will do it, then will complain in phpMyAdmin support forums because all their other MySQL apps are now broken.
Yes, this one should be enabled by admin. -- Michal Čihař | http://cihar.com
Michal Čihař wrote:
Hi
On Wed 9. 11. 2005 19:51, Marc Delisle wrote:
About the SHOW PHP info, there was a time when the cookie containing the password was visible there in plain text, it might explain the reason for this default.
There is also reason that it can uncover much information about server.
the difference of phpinfo() with the other settings below is, that this should depend on if the user is 'superuser' on the 'localhost'! if i have a local PMA installation to manage localhost(user:root), intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is hidden only if i select one of the two external servers - but without any reason
For mysqlinfo and mysqlvars, I think it was determined that this is information useful for a system admin.
Both are also useful for user. We show eg. collations and storage engines in all cases, so these two IMHO sould be same case and I do not see need for configuration option.
i agree
For the password change, I think that most of users, if they have the possibility of changing their password, will do it, then will complain in phpMyAdmin support forums because all their other MySQL apps are now broken.
Yes, this one should be enabled by admin.
ok -- Sebastian Mendel www.sebastianmendel.de www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
Hi On Fri 11. 11. 2005 09:02, Sebastian Mendel wrote:
the difference of phpinfo() with the other settings below is, that this should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root), intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is hidden only if i select one of the two external servers - but without any reason
There is no relation on being superuser in mysql and beeing able to have information about webserver. I'd leave this only on config option. So my suggestion: Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them in all cases. Drop $is_superuser condition from showing php info. -- Michal Čihař | http://cihar.com
Michal Čihař a écrit :
Hi
On Fri 11. 11. 2005 09:02, Sebastian Mendel wrote:
the difference of phpinfo() with the other settings below is, that this should depend on if the user is 'superuser' on the 'localhost'!
if i have a local PMA installation to manage localhost(user:root), intra.myweb.de(user:web) and www.myweb.de(user:web) - phpinfo() is hidden only if i select one of the two external servers - but without any reason
There is no relation on being superuser in mysql and beeing able to have information about webserver. I'd leave this only on config option.
So my suggestion: Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them in all cases. Drop $is_superuser condition from showing php info.
Ok for me.
Hi On Fri 11. 11. 2005 14:24, Marc Delisle wrote:
Michal Čihař a écrit :
So my suggestion: Drop $cfg['ShowMysqlInfo'] and $cfg['ShowMysqlVars'] and show them in all cases. Drop $is_superuser condition from showing php info.
Ok for me.
Just committed. -- Michal Čihař | http://cihar.com
participants (3)
-
Marc Delisle -
Michal Čihař -
Sebastian Mendel