[SECURITY] Do not log stacktrace in exception handlers

When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74893 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

[SECURITY] Do not log stacktrace in exception handlers
When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74893 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
f9a1f183 · Torben Hansen · Oliver Hader · 3aef4183 · f9a1f183 · f9a1f183
Commit f9a1f183 authored 2 years ago by Torben Hansen Committed by Oliver Hader 2 years ago
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -37,6 +37,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
    const CONTEXT_WEB = 'WEB';
    const CONTEXT_CLI = 'CLI';

+    protected $logExceptionStackTrace = false;
+
    private const IGNORED_EXCEPTION_CODES = [
        1396795884, // Current host header value does not match the configured trusted hosts pattern
        1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
@@ -88,7 +90,7 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
            if ($this->logger) {
                $this->logger->critical($logTitle . ': ' . $logMessage, [
                    'TYPO3_MODE' => TYPO3_MODE,
-                    'exception' => $exception
+                    'exception' => $this->logExceptionStackTrace ? $exception : null
                ]);
            }
            // Write error message to sys_log table

--- a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
@@ -26,6 +26,8 @@ use TYPO3\CMS\Core\Information\Typo3Information;
 */
 class DebugExceptionHandler extends AbstractExceptionHandler
 {
+    protected $logExceptionStackTrace = true;
+
    /**
     * Constructs this exception handler - registers itself as the default exception handler.
     */