Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116864 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 35892 invoked from network); 11 Jan 2022 06:13:03 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Jan 2022 06:13:03 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 8086E1804C4 for ; Mon, 10 Jan 2022 23:21:57 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_40,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 10 Jan 2022 23:21:57 -0800 (PST) Received: by mail-lf1-f45.google.com with SMTP id g26so52991869lfv.11 for ; Mon, 10 Jan 2022 23:21:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SZwEz4uOqtYcTmVmYuISiEpm7BjY9YvLCuv5wgZf/zs=; b=CxMmr8EvfR8REOq688474TC9uEbXzie/G9HIstA1UO03B5BX0VQs7yVVTCajTRXSsh UByyl7bxXtwbat5xkfzpx00Ja8sxiEYLro4du7mVmdnbAmj/vOPQPqC6C6IN6Go4blfc sCQsTWqVUtoZ7+nLYBqXFyZcOuoYyUtqz9OlDOgRcRFZFz0DMUb+r430jikcvBiT3W5P xS2wcvq0rroGyBc3TEwmyNUr2Psksu2mBocYCpizv7hAS3hBb4HHMElr1D9PjxdAcqDF zmAn3acu8127Rx+sWIB8tkF30yr0XrP9lsVDrAchG1NKP7PKrJFa2hnZxFFTWQNGWZ9V wyGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SZwEz4uOqtYcTmVmYuISiEpm7BjY9YvLCuv5wgZf/zs=; b=BlxeOGenq9aDX+uOogcjLTzq1SGQVFa94Hd86z0eTyIkGGvjPWRq/oGR7hjC3lC1bJ 0R/rJhTj8YZXEN5gVo81AVx0CeV5UF9kx55/9anhAF+/9VwawYNVUrExS5oZ8mN/VVaW 7xJPJzjnv8IJ5mtP3X42kmikXiO6G3cJEkORKSQsuqHixz/ZyXPAMtwceKx7qOw4AHTF gWKaa3F9smDNfJ/4Xe09JTFbjlknD+06XfbSFG1lo93NeFGXeJA+K9Nlk0sfYKm5i8tK yUJVG/qEQFmldl8BZ54AN3tWDlIKvkjcZiaEYdU9HiRq31KlYX1D1E+Y+Ouhb8om1Zqq scYQ== X-Gm-Message-State: AOAM530XwAQP9QVhSCwPbW89f8dvQp4jorZ2JAdMQ2CeOT3EpG50NraJ ZYNMf34JVgvP9Gy7fQ4eNFbM53PRdT5PG0wiN74= X-Google-Smtp-Source: ABdhPJxYCeF3eDvbX892tKypgXuM0GjilzISjCuwyNu251M9OOJX7bRZwMTLKoTa1be+hrlSweyrYMkSl09J0GaaLIE= X-Received: by 2002:a19:5e16:: with SMTP id s22mr2388695lfb.209.1641885715379; Mon, 10 Jan 2022 23:21:55 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 10 Jan 2022 23:21:44 -0800 Message-ID: To: Michael Morris Cc: PHP internals Content-Type: multipart/alternative; boundary="000000000000d3bb9405d5494eee" Subject: Re: [PHP-DEV] RFC [Discussion]: Redacting parameters in back traces From: jordan.ledoux@gmail.com (Jordan LeDoux) --000000000000d3bb9405d5494eee Content-Type: text/plain; charset="UTF-8" On Mon, Jan 10, 2022 at 9:37 PM Michael Morris wrote: > > If someone can inject a debug_backtrace into your code and get it executed > you have bigger problems than a parameter being exposed. And if you > configure your prod servers to be all chatty Kathy to the world on error, > you need to learn how to do better. A change to the language is not in > order here. > These things can also be logged as well. This isn't a security concern only in the sense of the backtrace being displayed on a webpage output or something. There are legal requirements in many jurisdictions about how data can be retained and where. It is entirely possible that something could be accidentally logged that would inadvertently violate a local regulation for handling of customer data. Jordan --000000000000d3bb9405d5494eee--