From f9a1f1830ab123374ddbeb10bd54a2dde1349011 Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Tue, 14 Jun 2022 09:11:23 +0200
Subject: [PATCH] [SECURITY] Do not log stacktrace in exception handlers

When a TYPO3 exception is handled through registered exception
handlers, log writers may log sensitive information to logs,
since the full stacktrace is logged.

With this change, exception handlers that extend
AbstractExceptionHandler except DebugExceptionHandler will
by default not include the exception object any more and
thereby not log the full stacktrace.

Resolves: #96866
Releases: main, 11.5, 10.4
Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0
Security-Bulletin: TYPO3-CORE-SA-2022-002
Security-References: CVE-2022-31047
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74893
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php | 4 +++-
 typo3/sysext/core/Classes/Error/DebugExceptionHandler.php    | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
index cbd972802d8c..53543627714f 100644
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -37,6 +37,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
     const CONTEXT_WEB = 'WEB';
     const CONTEXT_CLI = 'CLI';
 
+    protected $logExceptionStackTrace = false;
+
     private const IGNORED_EXCEPTION_CODES = [
         1396795884, // Current host header value does not match the configured trusted hosts pattern
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
@@ -88,7 +90,7 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
             if ($this->logger) {
                 $this->logger->critical($logTitle . ': ' . $logMessage, [
                     'TYPO3_MODE' => TYPO3_MODE,
-                    'exception' => $exception
+                    'exception' => $this->logExceptionStackTrace ? $exception : null
                 ]);
             }
             // Write error message to sys_log table
diff --git a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
index 320784c7517b..1bf6648ad56e 100644
--- a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
@@ -26,6 +26,8 @@ use TYPO3\CMS\Core\Information\Typo3Information;
  */
 class DebugExceptionHandler extends AbstractExceptionHandler
 {
+    protected $logExceptionStackTrace = true;
+
     /**
      * Constructs this exception handler - registers itself as the default exception handler.
      */
-- 
GitLab