View Issue Details

IDProjectCategoryView StatusLast Update
0018051mantisbtdocumentationpublic2015-03-15 19:58
ReporterfoXenAssigned Todregad 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version1.3.0-beta.1 
Target Version1.3.0-beta.2Fixed in Version1.3.0-beta.2 
Summary0018051: config_inc.php.sample should reflect the defaults (db_username and db_type)
Description

Current config_inc.php.sample states
$g_db_username = 'mantisdbuser';
$g_db_type = 'mysql';

while I think it should be:
$g_db_username = 'root';
$g_db_type = 'mysqli';

TagsNo tags attached.

Activities

dregad

dregad

2015-01-22 07:24

developer   ~0042247

Last edited: 2015-01-22 07:28

View 2 revisions

This is somewhat academical, because I believe most users would simply use the config_inc.php file generated by the installer (or copy/paste its contents).

$g_db_username = 'root';

I disagree. This is supposed to be an example, and I don't think it's good from a security best practices point of view, to indirectly promote the use of default DB accounts, especially one with high privileges such as root in MySQL, for web applications.

In fact, taking this one step further, we should probably consider changing this in config_defaults_inc.php.

$g_db_type = 'mysqli';

This one makes sense, will change.

foXen

foXen

2015-01-22 10:01

reporter   ~0042249

$g_db_username = 'root';
I disagree. This is supposed to be an example, and I don't think it's good from a security best practices point of view, to indirectly promote the use of default DB accounts, especially one with high privileges such as root in MySQL, for web applications.
In fact, taking this one step further, we should probably consider changing this in config_defaults_inc.php.

Acknowledge. :) Change this in config_defaults_inc.php to 'mantisdbuser' and your absolut right concern on security as well as my initial intent are met. My 'solution' just took into account, that current install proposes 'root' if no config-file is given.

Related Changesets

MantisBT: master d698fd77

2015-01-22 07:24:58

dregad

Details Diff
Change $g_db_type to 'mysqli' in sample config_inc.php

Reflecting the new default value in config_defaults_inc.php introduced
in Jan 2014.

Fixes 0018051
mod - config/config_inc.php.sample Diff File

Issue History

Date Modified Username Field Change
2015-01-22 04:34 foXen New Issue
2015-01-22 07:24 dregad Note Added: 0042247
2015-01-22 07:28 dregad Note Edited: 0042247 View Revisions
2015-01-22 07:29 dregad Changeset attached => MantisBT master d698fd77
2015-01-22 07:29 dregad Assigned To => dregad
2015-01-22 07:29 dregad Status new => resolved
2015-01-22 07:29 dregad Resolution open => fixed
2015-01-22 07:29 dregad Fixed in Version => 1.3.0-beta.2
2015-01-22 10:01 foXen Note Added: 0042249
2015-01-26 01:33 atrol Target Version => 1.3.0-beta.2
2015-03-15 19:58 dregad Status resolved => closed