CODEWITHSUNDEEP
phpsecurityyiierror-handlingyii2
Mnebuerquo
Mnebuerquo

Reputation: 5969

How can I prevent post variables from appearing in the Yii2 log when I call warning() or info()?

I am maintaining an app built in Yii2, and I want to use Yii::warning() to write log messages. This is fine except when I'm logging events in the user login sequence.

The username and password are sent as POST variables. These are sensitive information which should not be captured in a log file.

$errorno = ldap_errno($this->link);
$errorstr = ldap_err2str($errorno);
Yii::warning("LDAP error: $errorno: $errorstr");

The above code causes a log warning to appear, containing my ldap error messages, but that warning contains a full stack trace and POST variables.

Even if the warning is only written when there is a problem with the LDAP connection, it could contain any user's credentials at that time, from server admin to CEO.

How can I log warnings for authentication related events in Yii without getting a full stack trace and dump of POST fields?

Upvotes: 3

Views: 1444

Answers (2)

ustmaestro
ustmaestro

Reputation: 1283

To avoid sensitive data leaking in logs, you can simply mask any variable in log files, and for any kind of level not only warnings.

'log' => [
    'traceLevel' => YII_DEBUG ? 3 : 0,
    'targets' => [
        [
            'class' => 'yii\log\FileTarget',
            'levels' => ['error', 'warning'],
            'maskVars' => [
                // current vars in vendor/yiisoft/yii2/log/Target.php::$maskVars
                '_SERVER.HTTP_AUTHORIZATION',
                '_SERVER.PHP_AUTH_USER',
                '_SERVER.PHP_AUTH_PW',

                // Filter and mask any POST vars. Examples:  
                //      '_POST.add_var_name_here'
                //      '_POST.your_form_name.your_field_name'
                // see: vendor/yiisoft/yii2/log/Target.php::$maskVars
                // see: vendor/yiisoft/yii2/log/Target.php::getContextMessage()

                '_POST.LoginForm.email',
                '_POST.LoginForm.password',
            ],
        ],
    ],
],

Now practice, how to determine and set maskVars. Suppose you see in your logs something like:

$_POST = [
    'LoginForm' => [
        'email' => '[email protected]'
        'password' => 'mysecretpassword'
    ]
]

To mask email and password, you just need to add '_POST.LoginForm.email' and '_POST.LoginForm.password' to maskVars config.

PS: In this way you can mask any sensible variable from globals:

'_SERVER.add_var_name_here',
'_FILES.add_var_name_here',
'_COOKIE.add_var_name_here',
'_SESSION.add_var_name_here',
'_POST.add_var_name_here',
'_GET.add_var_name_here',

Upvotes: 1

mcserep
mcserep

Reputation: 3299

You can configure what PHP superglobal variables are exported to the log for each log target. In your config file, e.g.:

'log' => [
    'traceLevel' => YII_DEBUG ? 3 : 0,
    'targets' => [
        [
            'class' => 'yii\log\FileTarget',
            'levels' => ['error', 'warning'],
            'logVars' => ['_GET', '_POST', '_FILES', '_COOKIE', '_SESSION', '_SERVER'],
        ],
    ],
],

The default setting equivalent when the logVars property is omitted is shown in the example above.

Upvotes: 4

Related Questions