prevent the Logger from writing sensitive values#143
Conversation
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
| use Office365\Runtime\Auth\AuthenticationContext; | ||
| use Office365\Runtime\Auth\SamlTokenProvider; |
There was a problem hiding this comment.
Seeing both paths being in the same namespace, does it make sense to allow giving class names only or even namespaces only?
There was a problem hiding this comment.
Both might be too broad in other cases.
There was a problem hiding this comment.
Well that's why I meant "Allow", but yeah then let's keep it like this.
I just fear the moment they change an internal method name or something and it logs again
There was a problem hiding this comment.
Well that's why I meant "Allow", but yeah then let's keep it like this. I just fear the moment they change an internal method name or something and it logs again
Absolutely. But that can happen to namespaces as well as class names (also happened in this lib in the past).
The only sustainable solution will arrive with PHP 8.2's sensitive parameter support.
There was a problem hiding this comment.
@nickvergessen added an integrattion test that should act as safeguard nevertheless
blizzz
force-pushed
the
fix/142/dont-log-sensitive-args
branch
3 times, most recently
from
52a3857 to
a99907b
Compare
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
blizzz
force-pushed
the
fix/142/dont-log-sensitive-args
branch
from
c9241f1 to
aaa0b21
Compare
|
For the record: integration tests succeeds locally against the |
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
|
server PR merged, please rebase/adjust |
rerun failing tests against current master. All green now → merging |
3 participants
ensure backwards compat if necessaryonly backports