Open am4rth opened 1 year ago
thanks for reporting this issue. you are right, there is the risk of leaking sensitive information into logs.
matching can happen on other things than the path and method. i think we should adjust the message a bit to not lead people to only look at the path and be confused.
do you have time to propose a pull request?
I will try to write a fix in the next couple of weeks :)
If the
ChainRouter
does not find a match it throws a exception in which the request object is dumped as a string https://github.com/symfony-cmf/Routing/blob/d1e3ba55073507c11e6f501b6b3cfc9c1dc7acaf/src/ChainRouter.php#L177This can have security implications as all headers of the request (including Authorization-Header) are dumped in the exception. If this exception is logged or stored somewhere it can leak sensitive information or enable third parties access to private information.
Proposal: only add the requested method and path to the exception message