From dc89e161319157aa76a18c72646ba2c4cf3afd49 Mon Sep 17 00:00:00 2001
From: Ryan Cramer <ryan@processwire.com>
Date: Fri, 1 Aug 2025 16:34:57 -0400
Subject: [PATCH] Update WireShutdown to support sanitization of debug
 backtraces

---
 wire/core/WireShutdown.php | 40 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/wire/core/WireShutdown.php b/wire/core/WireShutdown.php
index baea78e4..b1e0f70c 100644
--- a/wire/core/WireShutdown.php
+++ b/wire/core/WireShutdown.php
@@ -90,6 +90,25 @@ class WireShutdown extends Wire {
 	 */
 	protected $error = array();
 
+	/**
+	 * Methods that should have their arguments suppressed from PHP backtraces
+	 * 
+	 * - Each method must include a `->`. 
+	 * - Methods should not include parenthesis. 
+	 * - If for specific class, include the class name before the `->`.
+	 * 
+	 * @var string[] 
+	 * 
+	 */
+	protected $banBacktraceMethods = array(
+		'->___login', // Session or ProcessLogin
+		'->___start', // i.e. Tfa
+		'->___setPass', // Password.php
+		'Session->___authenticate',
+		'Password->matches',
+		'Password->hash',
+	);
+
 	/**
 	 * Default HTML to use for error message
 	 * 
@@ -188,6 +207,7 @@ class WireShutdown extends Wire {
 	protected function getErrorMessage(array $error) {
 		
 		$type = $error['type'];
+		$config = $this->config;
 		
 		if(isset($this->types[$type])) {
 			$errorType = $this->types[$type];
@@ -203,7 +223,25 @@ class WireShutdown extends Wire {
 			$detail = '';
 		}
 		
-		return "$errorType: \t$message $detail ";
+		$message = "$errorType: \t$message $detail ";
+
+		if(strpos($message, '#1') !== false && stripos($message, '):')) {
+			// backtrace likely present in $message
+			// methods that should have their arguments excluded from backtrace
+			foreach($this->banBacktraceMethods as $name) {
+				if(strpos($message, "$name(") === false) continue;
+				if(!preg_match_all('!' . $name . '\([^\n]+\)!', $message, $matches)) continue;
+				foreach($matches[0] as $match) {
+					$message = str_replace($match, '->' . $name . '(...)', $message);
+				}
+			}
+		}
+	
+		if(strlen((string) $config->dbPass) > 4) {
+			$message = str_replace((string) $config->dbPass, '[...]', $message);
+		}
+		
+		return $message;
 	}
 
 	/**