Closed MHC03 closed 1 year ago
CryptKey.php allows the private key to either be a file or its contents directly. When I pass in the contents and give it the wrong pass phrase the private key is shown through the LogicException message. This might be a security issue. https://github.com/thephpleague/oauth2-server/blob/8ab731e84eef904b5913ba31b38116acf8ea50b6/src/CryptKey.php#L67
Thanks for this. Great spot. Fixed in PR #1353. Cheers for reporting
Thank you very much for this quick fix and release!
CryptKey.php allows the private key to either be a file or its contents directly. When I pass in the contents and give it the wrong pass phrase the private key is shown through the LogicException message. This might be a security issue. https://github.com/thephpleague/oauth2-server/blob/8ab731e84eef904b5913ba31b38116acf8ea50b6/src/CryptKey.php#L67