php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #37532 Allow override of Exception::getTrace()
Submitted: 2006-05-19 22:59 UTC Modified: 2006-05-19 23:20 UTC
From: spam01 at pornel dot net Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 5.1.4 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam01 at pornel dot net
New email:
PHP Version: OS:

 

 [2006-05-19 22:59 UTC] spam01 at pornel dot net 
Description:
------------
Exception::getTrace() is final. Because of that it's not possible to override it in order to hide backtrace when it contains sensitive data.

I'm developing library and I'd like to throw exceptions from sensitive context without messing  default handlers.

I realize that client's code is supposed to catch exceptions or disable reporting, but I can't believe that everyone will RTFM and comply.

This issue also affects PDO. It would be nice if it could hide passwords instead of just having this risk documented.


Reproduce code:
---------------
class StealthFoolproofException extends Exception
{
  function getTrace() {return NULL;}
}

function test($secretpassword)
{
 throw new StealthFoolproofException();
}
test('don\'t reveal that');

Expected result:
----------------
PHP Error: Fatal error: Uncaught exception StealthFoolproofException ... Stack trace: none.


Actual result:
--------------
Cannot override final method Exception::getTrace().

If not overriden, reveals arguments.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-05-19 23:20 UTC] helly@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Noone forces you to publish an exception on your websites. Indeed it is recommended that you have display_errors off.

Check the internals@ archives why the exception members are final.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Mon Apr 29 06:01:29 2024 UTC