Closed (fixed)
Project:
Drupal core
Version:
11.x-dev
Component:
other
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
31 Mar 2026 at 19:54 UTC
Updated:
4 May 2026 at 21:40 UTC
Jump to comment: Most recent
Comments
Comment #4
adhershmnair commentedAdded
#[\SensitiveParameter]to the$passwordparameter inInstallCommand::install(). This prevents the password from appearing in stack traces if the method throws an exception. Follow-up to #3296293.Comment #5
sourav_paulHey @adhershmnair, good catch 🙌
Two things before this goes for review:
CI pipeline first — please make sure MR !15311 is fully green (no PHPCS/PHPStan/test failures) before tagging for review.
Target main — core changes should land in main first (active dev branch), then get backported to 11.x / 10.4.x.
The #[\SensitiveParameter] addition itself looks right.
Thanks.
Comment #6
prudloff commentedThe password is passed to install_drupal() as part of $parameters so I wonder if this argument should also be marked sensitive (not sure, it can contain a lot of different things).
Comment #7
adhershmnair commentedComment #8
phenaproximaSeems legit.
Comment #9
godotislateRe #6: it looks like the password passed to install_drupal from InstallCommand::install() is just randomly generated? I don't see other uses of install_drupal where a password is passed in.Edited to add: Never mind, I was looking at the wrong branch, and I guess it doesn't make it any less sensitive anyway.
Comment #10
quietone commentedIssues are fixed on main first.
Comment #14
godotislateCommitted and pushed 7362bf4 to main and ac79785 to 11.x. Thanks!