search

thephpleague / oauth2-server

A spec compliant, secure by default PHP OAuth 2.0 Server
https://oauth2.thephpleague.com
MIT License
6.49k stars 1.12k forks source link

Private key is shown in Error message on invalid pass phrase #1351

Closed MHC03 closed 1 year ago

MHC03 commented 1 year ago

CryptKey.php allows the private key to either be a file or its contents directly. When I pass in the contents and give it the wrong pass phrase the private key is shown through the LogicException message. This might be a security issue. https://github.com/thephpleague/oauth2-server/blob/8ab731e84eef904b5913ba31b38116acf8ea50b6/src/CryptKey.php#L67

Sephster commented 1 year ago

Thanks for this. Great spot. Fixed in PR #1353. Cheers for reporting

MHC03 commented 1 year ago

Thank you very much for this quick fix and release!