minor #37431 [HttpKernel] hide "_password" in request data collector raw content (EfeloPHP)

fabpot · fabpot · commit 367aa1df6caa · 2020-07-15T14:56:50.000+02:00
This PR was merged into the 5.2-dev branch. Discussion ---------- [HttpKernel] hide "_password" in request data collector raw content The password was already hidden in POST parameters, but still remained visible in raw content. | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | no | Deprecations? | no | License | MIT This is my first contribution, so I hope I did everything right :) Commits ------- 715c793 [HttpKernel] added password hiding in request data collector raw content
diff --git a/src/Symfony/Component/HttpKernel/CHANGELOG.md b/src/Symfony/Component/HttpKernel/CHANGELOG.md
@@ -8,6 +8,8 @@ CHANGELOG
  * made the public `http_cache` service handle requests when available
  * allowed enabling trusted hosts and proxies using new `kernel.trusted_hosts`,
    `kernel.trusted_proxies` and `kernel.trusted_headers` parameters
+ * content of request parameter `_password` is now also hidden
+   in the request profiler raw content section
 
 5.1.0
 -----
diff --git a/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php b/src/Symfony/Component/HttpKernel/DataCollector/RequestDataCollector.php
@@ -95,7 +95,6 @@ public function collect(Request $request, Response $response, \Throwable $except
         $this->data = [
             'method' => $request->getMethod(),
             'format' => $request->getRequestFormat(),
-            'content' => $content,
             'content_type' => $response->headers->get('Content-Type', 'text/html'),
             'status_text' => isset(Response::$statusTexts[$statusCode]) ? Response::$statusTexts[$statusCode] : '',
             'status_code' => $statusCode,
@@ -129,9 +128,13 @@ public function collect(Request $request, Response $response, \Throwable $except
         }
 
         if (isset($this->data['request_request']['_password'])) {
+            $encodedPassword = rawurlencode($this->data['request_request']['_password']);
+            $content = str_replace('_password='.$encodedPassword, '_password=******', $content);
             $this->data['request_request']['_password'] = '******';
         }
 
+        $this->data['content'] = $content;
+
         foreach ($this->data as $key => $value) {
             if (!\is_array($value)) {
                 continue;
diff --git a/src/Symfony/Component/HttpKernel/Tests/DataCollector/RequestDataCollectorTest.php b/src/Symfony/Component/HttpKernel/Tests/DataCollector/RequestDataCollectorTest.php
@@ -310,6 +310,27 @@ public function testStatelessCheck()
         $this->assertTrue($collector->getStatelessCheck());
     }
 
+    public function testItHidesPassword()
+    {
+        $c = new RequestDataCollector();
+
+        $request = Request::create(
+            'http://test.com/login',
+            'POST',
+            ['_password' => ' _password@123'],
+            [],
+            [],
+            [],
+            '_password=%20_password%40123'
+        );
+
+        $c->collect($request, $this->createResponse());
+        $c->lateCollect();
+
+        $this->assertEquals('******', $c->getRequestRequest()->get('_password'));
+        $this->assertEquals('_password=******', $c->getContent());
+    }
+
     protected function createRequest($routeParams = ['name' => 'foo'])
     {
         $request = Request::create('http://test.com/foo?bar=baz');
