Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential sensitive data exposure in PhpDataSource::getRequestHeaders() #516

Open
ssnepenthe opened this issue Aug 16, 2021 · 1 comment
Open

Potential sensitive data exposure in PhpDataSource::getRequestHeaders() #516

ssnepenthe opened this issue Aug 16, 2021 · 1 comment
Milestone
Clockwork 6

Comments

@ssnepenthe
Copy link
Contributor

Probably not a big deal because why would we be putting passwords in cookies...

In PhpDataSource you are running $_COOKIE through DataSource::removePasswords(). But in PhpDataSource::getRequestHeaders() nothing is done about the cookie header which contains the same data.

Maybe the cookie header could just be dropped? Data is already collected elsewhere.

Alternatively parse the header into an array, remove passwords and put it back together as a string.

Or maybe just forget about it because why would we store our password in a cookie?
@itsgoingd itsgoingd mentioned this issue Sep 5, 2021
Closed
36 tasks
@itsgoingd
Copy link
Owner

Yeah, I'm not yet sure which option to go with, but something should be done about this.

Another good idea would be to remove authentication tokens from headers. Will probably do a bigger overhaul of the password removal code in 6.0.

@itsgoingd itsgoingd added this to the Clockwork 6 milestone Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Clockwork 6
Development

No branches or pull requests
2 participants
@itsgoingd @ssnepenthe