SQL query is printed into browser in case of exception

[alexkuk]

Preconditions

1. Magento 2.2.2. Was reproduced on Magento 2.1.9 as well.
2. Production mode
3. Reproduced on EAV collections

Steps to reproduce

1. Add an erroneous SQL statement to collection select object. I've added this code to \Magento\Catalog\Block\Product\ListProduct::initializeProductCollection():

$collection = $layer->getProductCollection();
$collection->getSelect()->columns('qwerty');

as an example
2. Open some category page in a browser.

Expected result

1. No SQL query is printed in a browser

Actual result

1. SQL query is printed in a browser

Fix proposal

In the \Magento\Eav\Model\Entity\Collection\AbstractCollection::_loadEntities() replace $this->printLogQuery(true, true, $query); with $this->printLogQuery(false, true, $query);

[bydrei]

@alexkuk do you have pub/errors/local.xml or pub/errors/local.xml.sample ?

[magento-engcom-team]

@alexkuk, thank you for your report.
We've acknowledged the issue and added to our backlog.

[alexkuk]

@shyamranpara Common, displaying SQL in production IS an issue. It is a security problem and it's acknowledged and reproduced by the core team. The problem is in the AbstractCollection that is used by both framework and application code. Changing the core file is provided as an example how to reproduce the bug.

[magento-engcom-team]

Hi @alexkuk. Thank you for your report.
The issue has been fixed in #13607 by @shyamranpara in 2.2-develop branch
Related commit(s):

• f473572a997812b8d61ec0ee3f000a569857b263

The fix will be available with the upcoming 2.2.5 release.

[magento-engcom-team]

Hi @alexkuk. Thank you for your report.
The issue has been fixed in #14223 by @rostyslav-hymon in 2.3-develop branch
Related commit(s):

• f618e14d145f5f5a1751c0108c1f9e1b94f50ea6

The fix will be available with the upcoming 2.3.0 release.