polr icon indicating copy to clipboard operation
polr copied to clipboard
verified publisher icon cydrobolt

Possibly leaking sensitive data/password to logs

Open mika opened this issue 5 years ago • 0 comments

When setup fails due to an error like missing mysql driver (package php-mysql on Debian) then the used password is logged in plaintext to storage/logs/lumen.log.

Expected Behavior

No sensitive data/passwords ending up in any logs.

Current Behavior

Quoting error message from storage/logs/lumen.log:

[2020-08-05 16:50:32] lumen.ERROR: PDOException: could not find driver in /srv/www/polr-2.2.0/vendor/illuminate/database/Connectors/Connector.php:55
Stack trace:
#0 /srv/www/polr-2.2.0/vendor/illuminate/database/Connectors/Connector.php(55): PDO->__construct('mysql:host=loca...', 'polr', 'foobar', Array)
#1 /srv/www/polr-2.2.0/vendor/illuminate/database/Connectors/MySqlConnector.php(22): Illuminate\Database\Connectors\Connector->createConnection('mysql:host=loca...', Array, Array)
#2 /srv/www/polr-2.2.0/vendor/illuminate/database/Connectors/ConnectionFactory.php(60): Illuminate\Database\Connectors\MySqlConnector->connect(Array)
#3 /srv/www/polr-2.2.0/vendor/illuminate/database/Connectors/ConnectionFactory.php(49): Illuminate\Database\Connectors\ConnectionFactory->createSingleConnection(Array)
#4 /srv/www/polr-2.2.0/vendor/illuminate/database/DatabaseManager.php(175): Illuminate\Database\Connectors\ConnectionFactory->make(Array, 'mysql')
#5 /srv/www/polr-2.2.0/vendor/illuminate/database/DatabaseManager.php(67): Illuminate\Database\DatabaseManager->makeConnection('mysql')
#6 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(3286): Illuminate\Database\DatabaseManager->connection('mysql')
#7 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(3252): Illuminate\Database\Eloquent\Model::resolveConnection(NULL)
#8 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(1932): Illuminate\Database\Eloquent\Model->getConnection()
#9 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(1875): Illuminate\Database\Eloquent\Model->newBaseQueryBuilder()
#10 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(1849): Illuminate\Database\Eloquent\Model->newQueryWithoutScopes()
#11 /srv/www/polr-2.2.0/vendor/illuminate/database/Eloquent/Model.php(3497): Illuminate\Database\Eloquent\Model->newQuery()
[...]

Note the foobar inside the stack trace.

Possible Solution

Maybe the information from https://github.com/Seldaek/monolog/issues/457 might be useful.

Steps to Reproduce (for bugs)

  1. Setup polr without php-mysql being present
  2. Visit $POLR_URL/setup and go through (failing) installation
  3. Visit polr/lumen log file (storage/logs/lumen.log)

Context

Possible security issue.

Your Environment

  • Version: polr 2.2.0 (latest stable release) with its according composer dependencies
  • Environment name and version: Debian 10.4, PHP-7.3

mika avatar Aug 05 '20 17:08 mika