Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue #280

Open
am4rth opened this issue Aug 9, 2023 · 2 comments
Open

Potential security issue #280

am4rth opened this issue Aug 9, 2023 · 2 comments

Comments

@am4rth
Copy link

am4rth commented Aug 9, 2023
edited
Loading

If the ChainRouter does not find a match it throws a exception in which the request object is dumped as a string

Routing/src/ChainRouter.php

Line 177 in d1e3ba5

? "this request\n$request"

This can have security implications as all headers of the request (including Authorization-Header) are dumped in the exception. If this exception is logged or stored somewhere it can leak sensitive information or enable third parties access to private information.

Proposal: only add the requested method and path to the exception message
@dbu
Copy link
Member

dbu commented Aug 9, 2023

thanks for reporting this issue. you are right, there is the risk of leaking sensitive information into logs.

matching can happen on other things than the path and method. i think we should adjust the message a bit to not lead people to only look at the path and be confused.

do you have time to propose a pull request?

@am4rth
Copy link
Author

am4rth commented Aug 11, 2023

I will try to write a fix in the next couple of weeks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbu @am4rth