1
0
mirror of https://github.com/Seldaek/monolog.git synced 2025-08-04 12:17:35 +02:00

Avoid information leaks through call_user_func arguments, fixes #1138

This commit is contained in:
Jordi Boggiano
2018-06-18 17:21:54 +02:00
parent 57a8a172e5
commit 3e92b08956
2 changed files with 43 additions and 1 deletions

View File

@@ -151,9 +151,20 @@ class NormalizerFormatter implements FormatterInterface
if (isset($frame['file'])) {
$data['trace'][] = $frame['file'].':'.$frame['line'];
} elseif (isset($frame['function']) && $frame['function'] === '{closure}') {
// We should again normalize the frames, because it might contain invalid items
// Simplify closures handling
$data['trace'][] = $frame['function'];
} else {
if (isset($frame['args'])) {
// Make sure that objects present as arguments are not serialized nicely but rather only
// as a class name to avoid any unexpected leak of sensitive information
$frame['args'] = array_map(function ($arg) {
if (is_object($arg) && !($arg instanceof \DateTime || $arg instanceof \DateTimeInterface)) {
return sprintf("[object] (%s)", get_class($arg));
}
return $arg;
}, $frame['args']);
}
// We should again normalize the frames, because it might contain invalid items
$data['trace'][] = $this->toJson($this->normalize($frame), true);
}

View File

@@ -407,6 +407,29 @@ class NormalizerFormatterTest extends \PHPUnit_Framework_TestCase
$result['context']['exception']['trace'][0]
);
}
public function testExceptionTraceDoesNotLeakCallUserFuncArgs()
{
try {
$arg = new TestInfoLeak;
call_user_func(array($this, 'throwHelper'), $arg, $dt = new \DateTime());
} catch (\Exception $e) {
}
$formatter = new NormalizerFormatter();
$record = array('context' => array('exception' => $e));
$result = $formatter->format($record);
$this->assertSame(
'{"function":"throwHelper","class":"Monolog\\\\Formatter\\\\NormalizerFormatterTest","type":"->","args":["[object] (Monolog\\\\Formatter\\\\TestInfoLeak)","'.$dt->format('Y-m-d H:i:s').'"]}',
$result['context']['exception']['trace'][0]
);
}
private function throwHelper($arg)
{
throw new \RuntimeException('Thrown');
}
}
class TestFooNorm
@@ -448,3 +471,11 @@ class TestToStringError
throw new \RuntimeException('Could not convert to string');
}
}
class TestInfoLeak
{
public function __toString()
{
return 'Sensitive information';
}
}