DB error shows private DB login in public area

[emmanueldt]

When a DB error occurs while dotclear tries to load the current theme, the following message is displayed :

"Dotclear UPDATE command denied to user 'PRIVATE_DB_LOGIN'@'IP_WEB_SERVER' for table 'dc_setting' (1142) Something went wrong while loading template file for your blog."

I noticed this error because I went over my ISP DB quotas, and I got both INSERT and UPDATE blocked. So I guess the error can be easily reproduced by raising an error on each UPDATE or INSERT.

In some cases, showing the private DB login may ease an attack on the DB server itself, which might not be a very good thing. Not to mention that there is no point in showing a parameter that is deeply hidden in the configuration files for security reasons.

[xave]

Such errors are not usually shown. Errors while accessing the DB are hidden in normal circumstances but that's the first time I heard of that "read-only" behaviour.

[Moe]

If I remember correctly, some OVH users had this error because their database exceeded the space quota.

[xave]

If the DB server thinks that information should be public, then that's ok with me. Beside, if we occult that one, we may as well occult all error messages, wich would be fine if it was not to trigger the opening of a bunch of "the error messages have to be explicit!" tickets.