Maks3w / FR3DLdapBundle

This bundle integrates LDAP Authentication with any user manager (Ex: FOSUserBundle)
119 stars 77 forks source link

SECURITY: password logged when exception thrown #153

Closed fogs closed 5 years ago

fogs commented 5 years ago

We are using this software in one of our applications and it is of great help. Thanks for the great bundle!

Today we noticed that under certain conditions the password of a user might be logged in clear text. That is a critical security concern.

It happens when a ZendLdapException is thrown, is caught by the ZendLdapDriver and handled in zendExceptionHandler. There the exception is attached to the logger error method call as extra data. When converted to string, the native PHP exception will also output a stack trace. In this stack trace, the call to the bind() method is shown including the call parameters. One of which is the password.

My suggestion would be to create a sanitized exception class, derived from ZendLdapException, that gets the password as additional parameter. That new exception class will implement it's own __toString() method and masking the actual password before returning the string representation of itself.

fogs commented 5 years ago

Thanks for the speedy integration!

Any chance we can have this bugfix backported into the 3.x version? Currently I have to reference dev-master in my composer.json and would prefer a stable version number..

¡Muchas gracias!