Edit report at https://bugs.php.net/bug.php?id=54114&edit=1
ID: 54114
Updated by: yohg...@php.net
Reported by: danhstevens at gmail dot com
Summary: Output Buffer Dumps Data On Error
Status: Not a bug
Type: Bug
Package: Output Control
Operating System: all
PHP Version: 5.3.5
Block user comment: N
Private report: N
New Comment:
I think this is not issue of output buffer, but error handling.
There is bug report that fatal error should be catch-able.
I think PHP should allow catching fatal errors even if it may results in
unexpected behavior. (i.e. Not all features work and could behave badly) Old
PHP
were able to catch E_ERROR, etc.
Previous Comments:
------------------------------------------------------------------------
[2013-09-30 18:05:12] m...@php.net
Well, this is pretty much the wrong
way then, IMO. Is this about Symfony 1 or 2?
------------------------------------------------------------------------
[2013-09-30 14:58:14] danhstevens at gmail dot com
Mike, this is a security issue because users of frameworks like Symfony are
highly
exposed to this bug. Symfony uses OB for parsing configuration files which
often
contain sensitive information. One syntax error in your config file and all
your
config params are on display to the www. It's unexpected behavior, and it can
(and
in my case, has) caused the release of sensitive information.
------------------------------------------------------------------------
[2013-09-30 12:11:25] m...@php.net
I'm not sure why this should be security related?
Why even output security sensitive information at all?
------------------------------------------------------------------------
[2011-08-17 13:44:19] nicolas dot grekas+php at gmail dot com
Here is an other example that can't be workaround using danhstevens' technique:
<?php
function my_shutdown()
{
echo "secret\n";
throw new Exception;
}
function ob_custom_filter($b)
{
return str_replace('secret', '******', $b);
}
register_shutdown_function('my_shutdown');
ob_start('ob_custom_filter');
?>
------------------------------------------------------------------------
[2011-03-10 19:41:28] danhstevens at gmail dot com
I've found a viable work-around for this bug (although a patch of the core
would still be ideal so people don't discover this potential security issue the
hard-way).
By registering the following shutdown handler before any output buffering the
dump of data can be prevented:
<?php
function shutdown_fn()
{
//If ob_start has been called at least once
if(ob_get_level() > 1)
{
//Prevent data in buffer from dumping
ob_end_clean();
}
}
register_shutdown_function('shutdown_fn');
Now when using the examples above that normally cause the buffer to dump to the
client the buffer data is disposed of. Of course, this can be extended to use
ob_get_contents and redirect the data to file or other means if necessary. This
approach is working for me (on PHP 5.3.5).
~Dan
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=54114
--
Edit this bug report at https://bugs.php.net/bug.php?id=54114&edit=1
