Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BlueScreen: used scrubber for HTTP headers #498

Merged
merged 1 commit into from
Jul 12, 2021
Merged

BlueScreen: used scrubber for HTTP headers #498

merged 1 commit into from
Jul 12, 2021

Conversation

dakujem
Copy link
Contributor

@dakujem dakujem commented Jul 12, 2021

Two sections of BlueScreen were previously not properly scrubbed:

  • HTTP Reqeust / Headers
  • CLI Request / Arguments

This includes, for example, the Cookie header, which can easily be used to hijack the session:
image

The Cookie is plaintext-legible in the Headers section, while the $_COOKIE section right below gets properly scrubbed:
image

This PR fixes the issue.

  • bug fix
  • BC break? no

Two sections of BlueScreen were previously not properly scrubbed:
- HTTP Reqeust / Headers
- CLI Request / Arguments

This fixes the issue.
@dakujem
Copy link
Contributor Author

dakujem commented Jul 12, 2021

Would you like me to create a second PR for the 2.x branch?

@dg
Copy link
Member

dg commented Jul 12, 2021

Thanks. I'll copy it to the 2.7 branch.

@dg dg changed the title BlueScreen: Fix possible sensitive info leak BlueScreen: used scrubber for HTTP headers Jul 12, 2021
@dg dg merged commit 9cf7843 into nette:master Jul 12, 2021
dg pushed a commit that referenced this pull request Jul 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants