Mangopay / mangopay2-php-sdk

PHP SDK for MANGOPAY
https://packagist.org/packages/mangopay/php-sdk-v2
MIT License
123 stars 133 forks source link

DebugMode is true by default ⚠️ #636

Closed emnbdx closed 7 months ago

emnbdx commented 8 months ago

Since commit fe49ef57d3f0c948a2a5bbd53db1aab367c89b45 DebugMode is now true by default.

This could be problematic because it allows anyone to access the API client and secret if deployed in a production environment.

Here is a sample of what i get display directly on browser on my test environment

Screenshot 2024-03-11 at 23 54 29

@mihaimoiseanu this one is for you I think you forget to remove it after testing

For everybody looking for a workaround you have to set DebugMode manually to false

$mangoPayApi = new MangoPay\MangoPayApi();
...
$mangoPayApi->Config->DebugMode = false;
impronta48 commented 8 months ago

Really severe! A lot of secret info exposed and payment system broken. I've downgraded to .26

victorberson99 commented 8 months ago

Same issue here ! Had to downgrade to 0.26 too

emnbdx commented 8 months ago

You can just set debugmode to false instead of downgrade, as I said. But i understand downgrade when you are not satisfied by a version ;)

antoinep-origami commented 8 months ago

Same here. It sure can be fixed easily by setting debug mode to false, but I am not sure to understand why the debug mode is now enabled by default, seems like an error-prone behaviour to me.

emnbdx commented 8 months ago

@antoinep-origami when you examine the code, you'll notice that DebugMode is annotated with the comment [INTERNAL USAGE ONLY]. This leads me to believe that its inclusion was likely an oversight by a developer.

emnbdx commented 8 months ago

I create a PR to fix this ! https://github.com/Mangopay/mangopay2-php-sdk/pull/637

florentdestremau commented 7 months ago

same issue here wtf, discovered on live user accounts !

OpJePl44tsm4n commented 7 months ago

same, please merge the fix!

launay12u commented 7 months ago

Really weird, and without any information about this change 👎🏼 This can cause huge security problems.