This repository has been archived by the owner on May 17, 2021. It is now read-only.
SECURITY: password logged when exception thrown #153
Comments
fogs
added a commit
to fogs/FR3DLdapBundle
that referenced
this issue
Feb 14, 2019
fogs
added a commit
to fogs/FR3DLdapBundle
that referenced
this issue
Feb 14, 2019
Maks3w
added a commit
that referenced
this issue
Feb 14, 2019
Bugfix #153: log messages must not contain clear text passwords
|
Thanks for the speedy integration! Any chance we can have this bugfix backported into the 3.x version? Currently I have to reference dev-master in my composer.json and would prefer a stable version number.. ¡Muchas gracias! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We are using this software in one of our applications and it is of great help. Thanks for the great bundle!
Today we noticed that under certain conditions the password of a user might be logged in clear text. That is a critical security concern.
It happens when a ZendLdapException is thrown, is caught by the ZendLdapDriver and handled in
zendExceptionHandler. There the exception is attached to the logger error method call as extra data. When converted to string, the native PHP exception will also output a stack trace. In this stack trace, the call to the bind() method is shown including the call parameters. One of which is the password.My suggestion would be to create a sanitized exception class, derived from ZendLdapException, that gets the password as additional parameter. That new exception class will implement it's own
__toString()method and masking the actual password before returning the string representation of itself.The text was updated successfully, but these errors were encountered: