@secret annotation for objects storing passwords
6 years ago
- mishak
- Member | 100
It would be nice to support dumping of objects with secrets.
It is not just passwords ie. birth numbers, gov. id numbers etc.
class Connection {
/** @secret */
private $username;
/** @secret */
private $password;
}
dump(new Connection);
Connection #66dd
username => ******
password => SECRET
It would enable sharing error log dumps without modifying them. Also is not safe to store dumps with passwords on server.
Last edited by mishak (2014-04-18 17:44)
5 years ago
- Filip Procházka
- Moderator | 4693
Interesting idea, I just don't like the part where you have to modify the code to make those properties secret. It would have to be a configuration value of tracy/dumper.
5 years ago
- petr.pavel
- Backer | 492
I was just thinking recently about all the fun we've had with debug mode running on various production servers :-) and that Nette should mask db login credentials in dumps to protect those idiots.
I like this proposal however, it won't cover non-Nette libraries, for example Doctrine\DBAL\Connection. Shouldn't we be more aggressive and mask all attributes named password, pwd, passwd, …, username, user_name, userName, …? I know it will never catch everything but isn't at least something better than nothing?
5 years ago
- japlavaren
- Backer | 415
podla mňa je to zbytočné – dump si vypisuje programátor a na ostrom servery je vypnutý. ak budem potrebovať vydumpovať @secret data, tak to nepojde a budem to musieť hackovať
5 years ago
- petr.pavel
- Backer | 492
@matej21: “authored on 11 Jun 2009” a yet this year I was able to read Nette Database login credentials from an error message on a production server with a debug mode on. So yes, something likes this but working :-)