Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116867 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 45785 invoked from network); 11 Jan 2022 08:31:54 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 11 Jan 2022 08:31:54 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 444951804C8 for ; Tue, 11 Jan 2022 01:40:46 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS199118 195.10.208.0/24 X-Spam-Virus: No X-Envelope-From: Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Tue, 11 Jan 2022 01:40:45 -0800 (PST) Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:105:465:1:4:0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4JY5KS13FzzQkJ9; Tue, 11 Jan 2022 10:40:44 +0100 (CET) X-Virus-Scanned: amavisd-new at heinlein-support.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=woltlab.com; s=MBO0001; t=1641894042; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=abSNFhM1z2owlGTPJRRQJ5298sjAwKnadsOlrksc2fw=; b=HF4wfso4bEEVy0/vHNlyJFSlACX6+G9Ae/7Rh99rLpL1DtbT3R0HCcHP/DqQvmeLSerr+y riAZ3QUTgYY7DqJBxqJSegp2ll5SE4lslkCFbWda6SO1EgHpqpQyyGDNvtcx0/V2eVn0KX JtN+11MTczK3Sy/uV3nZh4RP/Bylvw78opPw1zBta6jr8UWsNMB9jhukumOfWjaZ1RDTFd QWNiULjr+ZzIpkf3RshfS9NSYZkTVZi6BX3booWOjW2M18aPIFqwd1cnILzVQpqnOqyHqv qLLsGj/X757twBAzLFDSFl7F6xbXUlVWAwcZ5kg8BXC/MlIIo63D2lGl2Au5Ug== To: Pierre Joye Cc: PHP internals References: Message-ID: Date: Tue, 11 Jan 2022 10:40:40 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] RFC [Discussion]: Redacting parameters in back traces From: duesterhus@woltlab.com (=?UTF-8?Q?Tim_D=c3=bcsterhus=2c_WoltLab_GmbH?=) Hi Pierre On 1/11/22 4:48 AM, Pierre Joye wrote: > Also sensitive data goes way beyond arguments, GDPR brings a lot of > issues here too. Userland packages like monolog provide filters or > custom output, I think that is where it should be handled. I believe that the author of a function is in the best position to decide whether a specific argument generally holds sensitive data or not. This avoids every exception handler / logger / … having to check what function parameters hold sensitive data and scrubbing them, possibly missing some. Of course these exception handlers / loggers will still need to take care of any other data they are getting from the request context. But in that case the affected values (e.g. the user object) often need to be explicitly passed into the handler, because they are application specific. > As a side note, the RFC mentions that zend.exception_ignore_args may > not be configurable on some shared hosters, it is INI_ALL, so even in > the code could change it, any time, back and forth: I've seen all kinds of broken configurations / broken builds at shared web hosting over time, where things that generally work, do not for some reason. But good point indeed, I've removed that list item and only left the other one. Best regards Tim Düsterhus Developer WoltLab GmbH -- WoltLab GmbH Nedlitzer Str. 27B 14469 Potsdam Tel.: +49 331 96784338 duesterhus@woltlab.com www.woltlab.com Managing director: Marcel Werk AG Potsdam HRB 26795 P