merged branch lmcd/mask-passwords (PR #6482)

This PR was submitted for the master branch but it was merged into the 2.2 branch instead (closes #6482). Commits ------- f3e227a Mask PHP_AUTH_PW header in profiler Discussion ---------- Mask PHP_AUTH_PW header in profiler --------------------------------------------------------------------------- by fabpot at 2012-12-27T17:39:26Z Not sure about this one. Having public access to the web profiler in the production environment is really bad anyway. There is a ton of information that could help an attacker. So, just hiding this specific bit of information won't make it better. --------------------------------------------------------------------------- by lmcd at 2012-12-27T18:04:45Z A few scenarios are suggested here where a developer might want the profiler switched on in production: http://symfony.com/doc/current/book/internals.html I'm talking specifically about someone gaining malicious access to the filesystem. Ripping database tables are somewhat ineffective at stealing user credentials, considering passwords are usually securely hashed nowadays. But the profiler database would have usernames/passwords just sitting there in plaintext. I know there is lots of information there to aid an attacker, but so is there in most databases (IP addresses, useragents, names, email addresses etc) - but passwords are widely accepted as the *one* thing that should *never* just be stored in plaintext.
2013-02-28 15:46:40 +01:00 · 2013-02-28 15:46:40 +01:00 · ea5c7f1275
commit ea5c7f1275
parent bc79f27f70 e92b76c5ff
1 changed files with 8 additions and 0 deletions
--- a/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php
+++ b/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php
@ -99,6 +99,14 @@ class RequestDataCollector extends DataCollector implements EventSubscriberInter
            'locale'             => $request->getLocale(),
        );

+        if (isset($this->data['request_headers']['php-auth-pw'])) {
+            $this->data['request_headers']['php-auth-pw'] = '******';
+        }
+
+        if (isset($this->data['request_server']['PHP_AUTH_PW'])) {
+            $this->data['request_server']['PHP_AUTH_PW'] = '******';
+        }
+
        if (isset($this->controllers[$request])) {
            $controller = $this->controllers[$request];
            if (is_array($controller)) {