mirror of
https://github.com/Seldaek/monolog.git
synced 2025-08-04 12:17:35 +02:00
Avoid information leaks through call_user_func arguments, fixes #1138
This commit is contained in:
@@ -151,9 +151,20 @@ class NormalizerFormatter implements FormatterInterface
|
||||
if (isset($frame['file'])) {
|
||||
$data['trace'][] = $frame['file'].':'.$frame['line'];
|
||||
} elseif (isset($frame['function']) && $frame['function'] === '{closure}') {
|
||||
// We should again normalize the frames, because it might contain invalid items
|
||||
// Simplify closures handling
|
||||
$data['trace'][] = $frame['function'];
|
||||
} else {
|
||||
if (isset($frame['args'])) {
|
||||
// Make sure that objects present as arguments are not serialized nicely but rather only
|
||||
// as a class name to avoid any unexpected leak of sensitive information
|
||||
$frame['args'] = array_map(function ($arg) {
|
||||
if (is_object($arg) && !($arg instanceof \DateTime || $arg instanceof \DateTimeInterface)) {
|
||||
return sprintf("[object] (%s)", get_class($arg));
|
||||
}
|
||||
|
||||
return $arg;
|
||||
}, $frame['args']);
|
||||
}
|
||||
// We should again normalize the frames, because it might contain invalid items
|
||||
$data['trace'][] = $this->toJson($this->normalize($frame), true);
|
||||
}
|
||||
|
@@ -407,6 +407,29 @@ class NormalizerFormatterTest extends \PHPUnit_Framework_TestCase
|
||||
$result['context']['exception']['trace'][0]
|
||||
);
|
||||
}
|
||||
|
||||
public function testExceptionTraceDoesNotLeakCallUserFuncArgs()
|
||||
{
|
||||
try {
|
||||
$arg = new TestInfoLeak;
|
||||
call_user_func(array($this, 'throwHelper'), $arg, $dt = new \DateTime());
|
||||
} catch (\Exception $e) {
|
||||
}
|
||||
|
||||
$formatter = new NormalizerFormatter();
|
||||
$record = array('context' => array('exception' => $e));
|
||||
$result = $formatter->format($record);
|
||||
|
||||
$this->assertSame(
|
||||
'{"function":"throwHelper","class":"Monolog\\\\Formatter\\\\NormalizerFormatterTest","type":"->","args":["[object] (Monolog\\\\Formatter\\\\TestInfoLeak)","'.$dt->format('Y-m-d H:i:s').'"]}',
|
||||
$result['context']['exception']['trace'][0]
|
||||
);
|
||||
}
|
||||
|
||||
private function throwHelper($arg)
|
||||
{
|
||||
throw new \RuntimeException('Thrown');
|
||||
}
|
||||
}
|
||||
|
||||
class TestFooNorm
|
||||
@@ -448,3 +471,11 @@ class TestToStringError
|
||||
throw new \RuntimeException('Could not convert to string');
|
||||
}
|
||||
}
|
||||
|
||||
class TestInfoLeak
|
||||
{
|
||||
public function __toString()
|
||||
{
|
||||
return 'Sensitive information';
|
||||
}
|
||||
}
|
||||
|
Reference in New Issue
Block a user