异常堆栈可能存在信息泄露

case

<?php
// $foo 可能是密码、盐、私钥等机密信息
$foo = "super-secret";
function bar($pw) {
    baz($pw);
}

bar($foo);

注意Fatal error堆栈中暴露的参数信息:

注意这里 打印 baz参数信息

Output for 7.0.0 - 7.1.4
Fatal error: Uncaught Error: Call to undefined function baz() in /in/rk8NE:6
Stack trace:
#0 /in/rk8NE(9): bar('super-secret')
#1 {main}
  thrown in /in/rk8NE on line 6

Process exited with code 255.

注意这里 baz 无参数打印

Output for 5.6.0 - 5.6.30
Fatal error: Call to undefined function baz() in /in/rk8NE on line 6

Process exited with code 255.

可捕获异常PHP5.x与PHP7.x行为一致:

<?php

$foo = "super-secret";

function bar($pw) {
    throw new Exception();
}

try {
    bar($foo);   
} catch(\Exception $ex) {
    echo $ex;
}

Output for 7.0.0 - 7.1.4
Exception in /in/MdDLY:6
Stack trace:
#0 /in/MdDLY(10): bar('super-secret')
#1 {main}

Output for 5.6.0 - 5.6.30
exception 'Exception' in /in/MdDLY:6
Stack trace:
#0 /in/MdDLY(10): bar('super-secret')
#1 {main}

分析

PHP7.x Fatal Error 错误堆栈默认显示参数值,可能在某些场景会泄漏重要数据。

results matching ""

    No results matching ""