Password is visible in arugments list in debug mode
Issue #17
new
In debug mode, the provided password is visible when listing arguments.
Arguments provided
┌──────────────────────────────────────────────────────────────────────────────┐
│ $ag_DebugOutput │
└──────────────────────────────────────────────────────────────────────────────┘
array (1) [
0 => array (4) [
'ky_UserKeyword' => string (4) "username"
'ky_UserPassword' => string (8) "secretpassword"
'ky_UserDomain' => null
'ky_GroupKeyword' => null
]
]
Comments (2)
-
reporter -
reporter phpKhelper provides a redacting tool which should be used. Especially in this case the key name of the password field is known - `
ky_UserPassword'`
Line 217 should be changed from…
fn_Debug ( 'Arguments provided' , func_get_args() ) ;
to….
fn_Debug ( 'Arguments provided' , func_get_args() , 'ky_UserPassword' ) ;
- Log in to comment
This appears to be due to the unmodified debugging of the arguments by using the PHP built-in function `
func_get_args()`
on line 217 (https://bitbucket.org/viharm/phpldapauth/src/ed71731fae6f9d4f7a03d0e8340645e2cb32578a/phpldapauth.php#lines-217)