BlueScreen: used scrubber for HTTP headers

nette / tracy

😎 Tracy: the addictive tool to ease debugging PHP code for cool developers. Friendly design, logging, profiler, advanced features like debugging AJAX calls or CLI support. You will love it.

https://tracy.nette.org

Other

1.76k stars 218 forks source link

BlueScreen: used scrubber for HTTP headers #498

Closed dakujem closed 3 years ago

dakujem commented 3 years ago

Two sections of BlueScreen were previously not properly scrubbed:

HTTP Reqeust / Headers
CLI Request / Arguments

This includes, for example, the Cookie header, which can easily be used to hijack the session:

The Cookie is plaintext-legible in the Headers section, while the $_COOKIE section right below gets properly scrubbed:

This PR fixes the issue.

bug fix
BC break? no

dakujem commented 3 years ago

Would you like me to create a second PR for the 2.x branch?

dg commented 3 years ago

Thanks. I'll copy it to the 2.7 branch.