Closed fogs closed 5 years ago
Thanks for the speedy integration!
Any chance we can have this bugfix backported into the 3.x version? Currently I have to reference dev-master in my composer.json and would prefer a stable version number..
¡Muchas gracias!
We are using this software in one of our applications and it is of great help. Thanks for the great bundle!
Today we noticed that under certain conditions the password of a user might be logged in clear text. That is a critical security concern.
It happens when a ZendLdapException is thrown, is caught by the ZendLdapDriver and handled in
zendExceptionHandler
. There the exception is attached to the logger error method call as extra data. When converted to string, the native PHP exception will also output a stack trace. In this stack trace, the call to the bind() method is shown including the call parameters. One of which is the password.My suggestion would be to create a sanitized exception class, derived from ZendLdapException, that gets the password as additional parameter. That new exception class will implement it's own
__toString()
method and masking the actual password before returning the string representation of itself.