From fb542d43c7e50fd723e393becf01259ae2f41250 Mon Sep 17 00:00:00 2001
From: Torben Hansen <derhansen@gmail.com>
Date: Tue, 14 Jun 2022 09:12:07 +0200
Subject: [PATCH] [SECURITY] Do not log stacktrace in exception handlers

When a TYPO3 exception is handled through registered exception
handlers, log writers may log sensitive information to logs,
since the full stacktrace is logged.

With this change, exception handlers that extend
AbstractExceptionHandler except DebugExceptionHandler will
by default not include the exception object any more and
thereby not log the full stacktrace.

Resolves: #96866
Releases: main, 11.5, 10.4
Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0
Security-Bulletin: TYPO3-CORE-SA-2022-002
Security-References: CVE-2022-31047
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74898
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
 typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php | 4 +++-
 typo3/sysext/core/Classes/Error/DebugExceptionHandler.php    | 2 ++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
index cceed600f186..7baf761c1901 100644
--- a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -40,6 +40,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
     const CONTEXT_WEB = 'WEB';
     const CONTEXT_CLI = 'CLI';
 
+    protected bool $logExceptionStackTrace = false;
+
     private const IGNORED_EXCEPTION_CODES = [
         1396795884, // Current host header value does not match the configured trusted hosts pattern
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
@@ -98,7 +100,7 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
                     'line' => $exception->getLine(),
                     'message' => $exception->getMessage(),
                     'request_url' => $requestUrl,
-                    'exception' => $exception,
+                    'exception' => $this->logExceptionStackTrace ? $exception : null,
                 ]);
             }
         } catch (\Exception $exception) {
diff --git a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
index 1751d8886858..61abbf1d762f 100644
--- a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
+++ b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
@@ -26,6 +26,8 @@ use TYPO3\CMS\Core\Information\Typo3Information;
  */
 class DebugExceptionHandler extends AbstractExceptionHandler
 {
+    protected bool $logExceptionStackTrace = true;
+
     /**
      * Constructs this exception handler - registers itself as the default exception handler.
      */
-- 
GitLab