-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible credentials leak #105
Comments
This sounds like a duplicate of #102.
This is sensible, but would require a major version bump, due to a BC break. Would adding a |
I am not very good in maintaining libraries, but technically - yeah, it would do. |
Added #106
|
Your strategy is precisely what I was going to do. :) |
I was reached by a user concerned of the possible leak of the database credentials when an error occurs during Factory:create() call:
The problem is coming from the fact that Factory::create()'s parameters are listed in the stack trace.
I offered a user a quick and dirty solution of wrapping the call into a try catch and then re-throwing a generic exception that contains the error message from the caught exception.
But that's only a workaround and I think it would be better to change the Factory::create() method's signature. the simplest solution would be to make the method to accept an array of parameters instead of an explicit list of variables. This is against the best practices but here I would think it would be a good tradeoff between good practices and security.
I could send a pull request if you agree for this change.
Or we can try to find some other solution.
The text was updated successfully, but these errors were encountered: