From 18baccf227ca1fed295e014326c975cc0ef573c3 Mon Sep 17 00:00:00 2001 From: jfritschi Date: Sat, 29 Aug 2015 19:05:21 +0200 Subject: [PATCH] #152 #147 introduce a setVerbose() toggle to prevent debug info leaking in production --- docs/examples/example_advanced_saml11.php | 2 + docs/examples/example_custom_urls.php | 2 + docs/examples/example_gateway.php | 2 + docs/examples/example_hardening.php | 2 + docs/examples/example_html.php | 2 + docs/examples/example_lang.php | 2 + docs/examples/example_logout.php | 2 + .../examples/example_no_ssl_cn_validation.php | 2 + docs/examples/example_pgt_storage_db.php | 2 + docs/examples/example_pgt_storage_file.php | 2 + docs/examples/example_proxy_GET.php | 2 + docs/examples/example_proxy_POST.php | 2 + docs/examples/example_proxy_rebroadcast.php | 2 + docs/examples/example_proxy_serviceWeb.php | 2 + .../example_proxy_serviceWeb_chaining.php | 2 + docs/examples/example_renew.php | 2 + docs/examples/example_service.php | 2 + docs/examples/example_service_POST.php | 2 + .../examples/example_service_that_proxies.php | 2 + docs/examples/example_simple.php | 2 + source/CAS.php | 52 +++++++++++++++++-- source/CAS/Client.php | 10 ++-- 22 files changed, 95 insertions(+), 7 deletions(-) diff --git a/docs/examples/example_advanced_saml11.php b/docs/examples/example_advanced_saml11.php index 79d343e4..3c495180 100644 --- a/docs/examples/example_advanced_saml11.php +++ b/docs/examples/example_advanced_saml11.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(SAML_VERSION_1_1, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_custom_urls.php b/docs/examples/example_custom_urls.php index 1feb2adf..97c155fe 100644 --- a/docs/examples/example_custom_urls.php +++ b/docs/examples/example_custom_urls.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_gateway.php b/docs/examples/example_gateway.php index 82860afa..b7715c29 100644 --- a/docs/examples/example_gateway.php +++ b/docs/examples/example_gateway.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_hardening.php b/docs/examples/example_hardening.php index b81c83c5..25aae275 100644 --- a/docs/examples/example_hardening.php +++ b/docs/examples/example_hardening.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(false); // Harden session cookie to prevent some attacks on the cookie (e.g. XSS) session_set_cookie_params($client_lifetime, $client_path, $client_domain, $client_secure, $client_httpOnly); diff --git a/docs/examples/example_html.php b/docs/examples/example_html.php index 25c9b823..ec4ee9d0 100644 --- a/docs/examples/example_html.php +++ b/docs/examples/example_html.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_lang.php b/docs/examples/example_lang.php index ab615379..1b6b3941 100644 --- a/docs/examples/example_lang.php +++ b/docs/examples/example_lang.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_logout.php b/docs/examples/example_logout.php index 0ea51122..cdf42a79 100644 --- a/docs/examples/example_logout.php +++ b/docs/examples/example_logout.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_no_ssl_cn_validation.php b/docs/examples/example_no_ssl_cn_validation.php index 74455d98..bf5ef004 100644 --- a/docs/examples/example_no_ssl_cn_validation.php +++ b/docs/examples/example_no_ssl_cn_validation.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_pgt_storage_db.php b/docs/examples/example_pgt_storage_db.php index 705ba229..b5097628 100644 --- a/docs/examples/example_pgt_storage_db.php +++ b/docs/examples/example_pgt_storage_db.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_pgt_storage_file.php b/docs/examples/example_pgt_storage_file.php index cfb45509..d7b420a7 100644 --- a/docs/examples/example_pgt_storage_file.php +++ b/docs/examples/example_pgt_storage_file.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_proxy_GET.php b/docs/examples/example_proxy_GET.php index f0afc548..665d349b 100755 --- a/docs/examples/example_proxy_GET.php +++ b/docs/examples/example_proxy_GET.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_proxy_POST.php b/docs/examples/example_proxy_POST.php index a4bf357d..4e061f59 100755 --- a/docs/examples/example_proxy_POST.php +++ b/docs/examples/example_proxy_POST.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_proxy_rebroadcast.php b/docs/examples/example_proxy_rebroadcast.php index 453e860c..2c9bff8f 100644 --- a/docs/examples/example_proxy_rebroadcast.php +++ b/docs/examples/example_proxy_rebroadcast.php @@ -22,6 +22,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_proxy_serviceWeb.php b/docs/examples/example_proxy_serviceWeb.php index 1dc3b6a9..212918fa 100644 --- a/docs/examples/example_proxy_serviceWeb.php +++ b/docs/examples/example_proxy_serviceWeb.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_proxy_serviceWeb_chaining.php b/docs/examples/example_proxy_serviceWeb_chaining.php index e75efc88..0ab58ebe 100644 --- a/docs/examples/example_proxy_serviceWeb_chaining.php +++ b/docs/examples/example_proxy_serviceWeb_chaining.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_renew.php b/docs/examples/example_renew.php index a5c603ac..c25c2b81 100644 --- a/docs/examples/example_renew.php +++ b/docs/examples/example_renew.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_service.php b/docs/examples/example_service.php index 6c0daa6a..dc5aa411 100644 --- a/docs/examples/example_service.php +++ b/docs/examples/example_service.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_service_POST.php b/docs/examples/example_service_POST.php index 438af8f3..74be4dfa 100755 --- a/docs/examples/example_service_POST.php +++ b/docs/examples/example_service_POST.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_service_that_proxies.php b/docs/examples/example_service_that_proxies.php index 7094a048..7313ebf2 100644 --- a/docs/examples/example_service_that_proxies.php +++ b/docs/examples/example_service_that_proxies.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::proxy(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/docs/examples/example_simple.php b/docs/examples/example_simple.php index 301e7eda..105668ac 100644 --- a/docs/examples/example_simple.php +++ b/docs/examples/example_simple.php @@ -21,6 +21,8 @@ // Enable debugging phpCAS::setDebug(); +// Enable verbose error messages. Disable in production! +phpCAS::setVerbose(true); // Initialize phpCAS phpCAS::client(CAS_VERSION_2_0, $cas_host, $cas_port, $cas_context); diff --git a/source/CAS.php b/source/CAS.php index 1956c830..62e4c241 100644 --- a/source/CAS.php +++ b/source/CAS.php @@ -138,6 +138,11 @@ */ define("SAML_ATTRIBUTES", 'SAMLATTRIBS'); +/** + * SAML Attributes + */ +define("DEFAULT_ERROR", 'Internal script failure'); + /** @} */ /** * @addtogroup publicPGTStorage @@ -297,6 +302,13 @@ class phpCAS */ private static $_PHPCAS_DEBUG; + /** + * This variable is used to store phpCAS debug mode. + * + * @hideinitializer + */ + private static $_PHPCAS_VERBOSE = false; + // ######################################################################## // INITIALIZATION @@ -456,6 +468,34 @@ public static function setDebug($filename = '') } } + /** + * Enable verbose errors messages in the website output + * This is a security relevant since internal status info may leak an may + * help an attacker + * + * @param bool $verbose enable verbose output + * + * @return void + */ + public static function setVerbose($verbose) + { + if ($verbose === true) { + self::$_PHPCAS_VERBOSE = true; + } else { + self::$_PHPCAS_VERBOSE = false; + } + } + + + /** + * Show is verbose mode is on + * + * @return boot verbose + */ + public static function getVerbose() + { + return self::$_PHPCAS_VERBOSE; + } /** * Logs a string in debug mode. @@ -501,6 +541,7 @@ public static function log($str) */ public static function error($msg) { + phpCAS :: traceBegin(); $dbg = debug_backtrace(); $function = '?'; $file = '?'; @@ -516,8 +557,12 @@ public static function error($msg) } } } - echo "
\nphpCAS error: " . __CLASS__ . "::" . $function . '(): ' . htmlentities($msg) . " in " . $file . " on line " . $line . "
\n"; - phpCAS :: trace($msg); + if (self::$_PHPCAS_VERBOSE) { + echo "
\nphpCAS error: " . __CLASS__ . "::" . $function . '(): ' . htmlentities($msg) . " in " . $file . " on line " . $line . "
\n"; + } else { + echo "
\nError: ". DEFAULT_ERROR ."
\n"; + } + phpCAS :: trace($msg . ' in ' . $file . 'on line ' . $line ); phpCAS :: traceEnd(); throw new CAS_GracefullTerminationException(__CLASS__ . "::" . $function . '(): ' . $msg); @@ -537,7 +582,8 @@ public static function trace($str) } /** - * This method is used to indicate the start of the execution of a function in debug mode. + * This method is used to indicate the start of the execution of a function + * in debug mode. * * @return void */ diff --git a/source/CAS/Client.php b/source/CAS/Client.php index 8275362d..7282e288 100755 --- a/source/CAS/Client.php +++ b/source/CAS/Client.php @@ -131,9 +131,11 @@ public function printHTMLFooter() $lang = $this->getLangObj(); $this->_htmlFilterOutput( empty($this->_output_footer)? - ('
phpCAS __PHPCAS_VERSION__ ' - .$lang->getUsingServer() - .' __SERVER_BASE_URL__ (CAS __CAS_VERSION__)
') + (phpcas::getVerbose())? + '
phpCAS __PHPCAS_VERSION__ ' + .$lang->getUsingServer() + .' __SERVER_BASE_URL__ (CAS __CAS_VERSION__)
' + :'' :$this->_output_footer ); } @@ -3619,7 +3621,7 @@ private function _renameSession($ticket) phpCAS :: trace("Restoring old session vars"); $_SESSION = $old_session; } else { - phpCAS :: error( + phpCAS :: trace ( 'Session should only be renamed after successfull authentication' ); }