Download has DEBUG set to on. Potential security risk
News and General
Just so someone is aware. The download link on the site for EE 5 has the debug options set to 1 instead of 0. This means it will display all errors to everyone, visitors and public included. That is a potential security risk. I think that comes from developers computers but production downloads should not have this enabled. It should be to 0 so only admins can see errors. This is like setting display errors to on with PHP, again a security risk and not to be used on production servers.
I hope they fix this as I suspect people might be downloading and installing EE like that on their servers.
Hi Nibb,
Thanks for bringing this to our attention! We touched base about this internally. Just to confirm, you’re referring to the ‘Settings > Debugging & Output > Error Visibility’ setting? Or are you referring to the $debug = 1; in the admin.php file or index.php file?
I believe that 0 is used to suppress all errors on the front end, and 1 allows errors to be shown to Super Admins, 2 is for global errors to be displayed.
https://docs.expressionengine.com/latest/general/system-configuration-overrides.html#debug
We also took a quick peek in git history to see if it was a recent change, and it didn’t appear to be.
Once again, thank you for passing this along, if there’s any additional information you could provide it would be greatly appreciated!
-Tom
I’m referring to the file.
I checked with previous EE downloads and its set to off on all of them. But when I upgraded to the latest release, the download had this setting to on the files. If I didn’t spot that some reason, after upgrading my site would have be set to log all errors on the public site. This should only be turned on for testing and development, not production sites.
If this was set to on for my download I suspect other people have downloaded EE with that turned on as well.