search

xdebug / vscode-php-debug

PHP Debug Adapter for Visual Studio Code 🐞⛔
MIT License
763 stars 178 forks source link

VSCode XDEBUG fantom file open #953

Closed Cleverscript closed 3 months ago

Cleverscript commented 5 months ago

PHP version: 8.3.1 Xdebug version: 3.3.1 VS Code extension version: v1.34.0

Your launch.json: { "version": "0.2.0", "configurations": [

    {
        "name": "remote XDebug",
        "type": "php",
        "request": "launch",
        "hostname": "192.168.1.100",
        "port": 9003,
        "pathMappings": {
          "/home/bitrix/ext_www/dokukin.v.bass-line.ru": "${workspaceRoot}"
        }
    },
]

}

Xdebug php.ini config:

zend_extension = xdebug.so xdebug.start_with_request = yes xdebug.discover_client_host = true xdebug.client_host = 85.200.108.3 xdebug.client_port = 9003 xdebug.idekey = vsc xdebug.mode = debug xdebug.trace_output_name = trace.%s.%u xdebug.profiler_output_name = cachegrind.out.%R.%u xdebug.output_dir = /tmp xdebug.log = /var/log/xdebug.log xdebug.profiler_enable = 1 xdebug.profiler_enable_trigger = 1 xdebug.output_dir = /home/bitrix/www/xdebug_profiler

How can I make sure that files that I did not intend to debug are not opened? Moreover, my files are flying out even from other servers on which I am not currently working and have not opened the files! I need to debug just one file, without going to other files, how can I do this? https://www.youtube.com/watch?v=63K98NJYmKE

https://drive.google.com/file/d/1IRrlzjFubIsH_QPi0kGawz4c8gg5Do8T/view?usp=sharing

zobo commented 3 months ago

Hi! Sorry for the very late reply this somehow escaped my attention.

You are probably developing on a server where multiple sites are running and they all share a common xdebug php config. Since you have xdebug.start_with_request = yes each request made to the server (to any php file) will try to connect to your (or somebody else's) IDE (vscode).

You are seeing those files because there is an exception in the file and VS Code tries to open it. See multiple requests in the call stack window.

image

Also I see from the logs that you are not using this extension but the one from DEVSENSE. Or if you have both installed that extension is overriding this one.

I did not do any extensive check, but it looks like this is a public server. If that is true and you do not have proper outbound firewalls setup the server is trying to connect to any client opening any php web page on it (xdebug.discover_client_host = true with xdebug.start_with_request = yes). This is a huge risk as the debug channel can be used to do anything on the server, even steal possible secret, passwords....

Sorry, I take it back, looks like due to (probably) incomplete FCGI settings and missing HTTP_X_FORWARDED_FOR, REMOTE_ADDR headers xdebug.client_host = 85.200.108.3 is the default.

In any case having xdebug.mode = debug on in production is not just bad for security but also for performance.

If this is not a prod server I suggest using xdebug.start_with_request = trigger. https://xdebug.org/docs/all_settings#start_with_request

I'll close this issue, but do come back if there are other questions, and if possible let me know if you have both devsense and xdebug.php-debug extensions installed. Thanks!

Cleverscript commented 3 months ago

Hi, thanks for the answer, and emphasis on directives xdebug.discover_client_host xdebug.start_with_request this prompted me to read the documentation))

I solved this problem with this config, in which I added the directive "exclude", that cuts off eavesdropping on unnecessary files

{
    "version": "0.2.0",
    "configurations": [
        {
        // ...  
            "pathMappings": {
              "/home/bitrix/ext_www/site.ru/bitrix/modules/itserw.chinamarket": "${workspaceRoot}"
            },
            "exclude": [ 
                "!**/home/bitrix/ext_www/site.ru/bitrix/modules/itserw.chinamarket**" 
            ]
        },
    ]
}