-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log message for database connection exposes the full URL that may contain plain text credentials #5339
Comments
the url should be redacted (or at least the password part) or the log set to debug instead of info ? |
Using URL is actually a recommended configuration for recent Symfony releases, so this will affect a large number of users. Ideally, the passwords should never appear in logs, no matter the logging level. Also I do not think this information belongs to the |
Do we know what versions are affected? I suspect it affects many versions, but was revealed only recently by doctrine/DoctrineBundle#1456 IMO a good first step would be to unset Lines 44 to 51 in e839cec
and tested in dbal/tests/Logging/MiddlewareTest.php Lines 37 to 58 in e839cec
|
I suspect it affects only the new logging middleware, which would explain why it was revealed by that DoctrineBundle PR starting to use it in Symfony projects. |
…tive data (password)
* 3.4.x: doctrine#5339 Redact connection URL from logs as it may contain sensitive data (password) Update PHPStan to 1.5.3 Mark DBAL 2 as no longer maintained Remove documentation bits only relevant to DBAL 2 Leverage int-mask-of to make types more precise Support TEXT/BLOB default values on MariaDB
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
The doctrine channel records the following log when a connection is established to the database:
Although the
password
field value is not visible (<redacted>
instead), the password is visible in theurl
field (https://github.com/doctrine/dbal/blob/3.3.x/src/Logging/Driver.php#L31). Using an URL instead of individual DB parameters is valid though (https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#getting-a-connection).This can be a security issue regarding where the logs are stored and who has access to those logs.
The text was updated successfully, but these errors were encountered: