Comments (5)
I disagree that there is an information disclosure problem in util.Objects
. Secret values that should not appear in stacktraces or anywhere else should use the util.Secret
class introduced in 6.8.0 almost 7 years ago (see #108).
However, having toString()
called even if objects do not implement lang.Value
would simplify quite some code where hashCode()
and compareTo
are implemented in a way that always yield distinct objects, simply because the interface requires their implementation. I've come up with PR #313 but will have to give this some more thought.
from core.
The PropertyManager
class was deprecated in 9.8.0 (October 2018) and subsequently removed in XP 11, which is the currently supported release series, see #290. You should really think about moving away from using this API!
from core.
Yes, we are thinking about moving away from this old stuff, but you know... priorities.
PropertyManager + Properties isn't using util.Secret when reading the secrets from an .ini file.
Yes, I know PropertyManager is deprecated but in this case we have to migrate some old code using Scriptlets to a newer PHP version with minimum efford.
from core.
So, using an educated guess after looking at the code for PropertyManager and friends, your problem is a ResourcePropertySource where instead of just root, the cache is also dumped. The cache contains util.Properties instances, whose toString() method then also dumps any secrets in the property file. It all boils down to this:
$ cat test.ini
[global]
db.pass=secret!
$ xp -w '$p= new \util\Properties("test.ini"); $p->reset(); return $p->toString()'
util.Properties(test.ini)@{[global => [db.pass => "secret!"]]}
Also happens if we use the {$secret.xyz}
notation, all of these expansions are performed while loading the file.
👉 This would mean the root cause is the Properties class. I'll come up with a PR for this.
from core.
Fix released in https://github.com/xp-framework/core/releases/tag/v11.4.0
from core.
Related Issues (20)
- Warnings in util.Secret with PHP 8.1 HOT 1
- Support image/x-icon HOT 4
- Environment::variables() empty on certain environments
- Timezone Europe/Berlin does not have DST transitions HOT 4
- README advertises wrong installation method
- xp core w/o iconv HOT 8
- PHP 8.1: offset* signature HOT 2
- Make reading results from Process execution easier HOT 1
- Setup errors on GitHub actions HOT 3
- XP 11 compatibility HOT 6
- PHP 8.2 compatibility HOT 13
- InputStream and OutputStream implementations should implement lang.Value HOT 1
- Array to string conversion when reading property sections with arrays or maps HOT 1
- Single-pair map indentation
- Glob support HOT 5
- Call to undefined method util\TimeZone::getName()) HOT 1
- Class "lang\ClassLoader" not found HOT 2
- Deprecate implicitly nullable parameter types
- Suppress implicitly nullable parameter types warnings HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from core.