[SECURITY] Do not log stacktrace in exception handlers

When a TYPO3 exception is handled through registered exception handlers, log writers may log sensitive information to logs, since the full stacktrace is logged. With this change, exception handlers that extend AbstractExceptionHandler except DebugExceptionHandler will by default not include the exception object any more and thereby not log the full stacktrace. Resolves: #96866 Releases: main, 11.5, 10.4 Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0 Security-Bulletin: TYPO3-CORE-SA-2022-002 Security-References: CVE-2022-31047 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74903 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jun 14, 2022 · c93ea69 · c93ea69
1 parent 7447a3d
commit c93ea69
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php b/typo3/sysext/core/Classes/Error/AbstractExceptionHandler.php
@@ -40,6 +40,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
     const CONTEXT_WEB = 'WEB';
     const CONTEXT_CLI = 'CLI';
 
+    protected bool $logExceptionStackTrace = false;
+
     private const IGNORED_EXCEPTION_CODES = [
         1396795884, // Current host header value does not match the configured trusted hosts pattern
         1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
@@ -98,7 +100,7 @@ protected function writeLogEntries(\Throwable $exception, string $mode): void
                     'line' => $exception->getLine(),
                     'message' => $exception->getMessage(),
                     'request_url' => $requestUrl,
-                    'exception' => $exception,
+                    'exception' => $this->logExceptionStackTrace ? $exception : null,
                 ]);
             }
         } catch (\Exception $exception) {

diff --git a/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php b/typo3/sysext/core/Classes/Error/DebugExceptionHandler.php
@@ -26,6 +26,8 @@
  */
 class DebugExceptionHandler extends AbstractExceptionHandler
 {
+    protected bool $logExceptionStackTrace = true;
+
     /**
      * Constructs this exception handler - registers itself as the default exception handler.
      */
-Original file line number
+Diff line change
@@ Expand Up / @@ -26,6 +26,8 @@ @@
      */
     class DebugExceptionHandler extends AbstractExceptionHandler
     {
+        protected bool $logExceptionStackTrace = true;
         /**
          * Constructs this exception handler - registers itself as the default exception handler.
          */
@@ Expand Down @@