Closed
Description
Description
A new attribute named #[SensitiveParameter] has been introduced in PHP 8.2 to prevent sensitive method arguments to leak in application logs, exceptions and backtraces. I think this would be great to add this attribute across the framework.
Here is the RFC: https://wiki.php.net/rfc/redact_parameters_in_back_traces
Human-readable RFC: https://php.watch/versions/8.2/backtrace-parameter-redaction
Here is the commit to php-src: php/php-src@9085197
I create this RFC to discuss if there is any contraindication to do this. You'll find a simple example below on how it would look like.
Example
Password credentials
namespace Symfony\Component\Security\Http\Authenticator\Passport\Credentials;
// ...
class PasswordCredentials implements CredentialsInterface
{
// ...
public function __construct(
\[SensitiveParameter]
string $password
) {
$this->password = $password;
}
// ...
}HttpOptions
namespace Symfony\Component\HttpClient;
// ...
class HttpOptions
{
// ...
public function setAuthBasic(
string $user,
#[\SensitiveParameter]
string $password = ''
): static
{
$this->options['auth_basic'] = $user;
if ('' !== $password) {
$this->options['auth_basic'] .= ':'.$password;
}
return $this;
}
// ...
}Metadata
Metadata
Assignees
Labels
No labels