SECURITY: password logged when exception thrown

[fogs]

We are using this software in one of our applications and it is of great help. Thanks for the great bundle!

Today we noticed that under certain conditions the password of a user might be logged in clear text. That is a critical security concern.

It happens when a ZendLdapException is thrown, is caught by the ZendLdapDriver and handled in zendExceptionHandler. There the exception is attached to the logger error method call as extra data. When converted to string, the native PHP exception will also output a stack trace. In this stack trace, the call to the bind() method is shown including the call parameters. One of which is the password.

My suggestion would be to create a sanitized exception class, derived from ZendLdapException, that gets the password as additional parameter. That new exception class will implement it's own __toString() method and masking the actual password before returning the string representation of itself.

[fogs]

Thanks for the speedy integration!

Any chance we can have this bugfix backported into the 3.x version? Currently I have to reference dev-master in my composer.json and would prefer a stable version number..

¡Muchas gracias!