@secret annotation for objects storing passwords
- mishak
- Member | 94
It would be nice to support dumping of objects with secrets.
It is not just passwords ie. birth numbers, gov. id numbers etc.
class Connection {
/** @secret */
private $username;
/** @secret */
private $password;
}
dump(new Connection);Connection #66dd
username => ******
password => SECRETIt would enable sharing error log dumps without modifying them. Also is not safe to store dumps with passwords on server.
Last edited by mishak (2014-04-18 17:44)
- Filip Procházka
- Moderator | 4668
Interesting idea, I just don't like the part where you have to modify the code to make those properties secret. It would have to be a configuration value of tracy/dumper.
- petr.pavel
- Backer | 504
I was just thinking recently about all the fun we've had with debug mode running on various production servers :-) and that Nette should mask db login credentials in dumps to protect those idiots.
I like this proposal however, it won't cover non-Nette libraries, for example Doctrine\DBAL\Connection. Shouldn't we be more aggressive and mask all attributes named password, pwd, passwd, …, username, user_name, userName, …? I know it will never catch everything but isn't at least something better than nothing?
- japlavaren
- Backer | 404
podla mňa je to zbytočné – dump si vypisuje programátor a na ostrom servery je vypnutý. ak budem potrebovať vydumpovať @secret data, tak to nepojde a budem to musieť hackovať
- petr.pavel
- Backer | 504
@matej21: “authored on 11 Jun 2009” a yet this year I was able to read Nette Database login credentials from an error message on a production server with a debug mode on. So yes, something likes this but working :-)
