search

symfony-cmf / Routing

Routing component building on the Symfony Routing component
Other
289 stars 70 forks source link

Potential security issue #280

Open am4rth opened 1 year ago

am4rth commented 1 year ago

If the ChainRouter does not find a match it throws a exception in which the request object is dumped as a string https://github.com/symfony-cmf/Routing/blob/d1e3ba55073507c11e6f501b6b3cfc9c1dc7acaf/src/ChainRouter.php#L177

This can have security implications as all headers of the request (including Authorization-Header) are dumped in the exception. If this exception is logged or stored somewhere it can leak sensitive information or enable third parties access to private information.

Proposal: only add the requested method and path to the exception message

dbu commented 1 year ago

thanks for reporting this issue. you are right, there is the risk of leaking sensitive information into logs.

matching can happen on other things than the path and method. i think we should adjust the message a bit to not lead people to only look at the path and be confused.

do you have time to propose a pull request?

am4rth commented 1 year ago

I will try to write a fix in the next couple of weeks :)