Version: 2.6.x, 2.7.x
Bug Description
BlueScreen reveals sensitive server variables without offering option to turn this feature off or any kind of filtering option.
Furthermore, half of the class' code is private, so no easy customisation .... yet again.
Steps To Reproduce
Cause an exception to be rendered using BlueScreen, observe all server vars dumped at the bottom of the rendered screen.
Expected Behavior
Filtering of sensitive data enabled. Sensitive data not shown in plaintext.
Possible Solution
Refactor. Introduce options. Enable extensibility. Avoid private members and methods when no replacement is possible using composition.
Why Care
In cloud environments, it is common and/or necessary to store configuration options (like database connections, service keys, third party api tokens, etc. ) in environment variables. The described issue poses a security risk. Read more here: 12 factor app.
Version: 2.6.x, 2.7.x
Bug Description
BlueScreenreveals sensitive server variables without offering option to turn this feature off or any kind of filtering option.Furthermore, half of the class' code is private, so no easy customisation .... yet again.
Steps To Reproduce
Cause an exception to be rendered using
BlueScreen, observe all server vars dumped at the bottom of the rendered screen.Expected Behavior
Filtering of sensitive data enabled. Sensitive data not shown in plaintext.
Possible Solution
Refactor. Introduce options. Enable extensibility. Avoid private members and methods when no replacement is possible using composition.
Why Care
In cloud environments, it is common and/or necessary to store configuration options (like database connections, service keys, third party api tokens, etc. ) in environment variables. The described issue poses a security risk. Read more here: 12 factor app.