[SECURITY] Avoid logging sensitive information during authentication 03/60703/2
authorHelmut Hummel <typo3@helhum.io>
Tue, 7 May 2019 09:44:05 +0000 (11:44 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 7 May 2019 09:44:16 +0000 (11:44 +0200)
In order to avoid logging sensitive information during authentication
using the logging framework, according log level DEBUG is used.

Resolves: #88230
Releases: master, 9.5
Security-Commit: 625428b6364308f9f07f331bd176110d01e6c2f2
Security-Bulletin: TYPO3-CORE-SA-2019-010
Change-Id: I3e19afad6937515e0f6e1ab0a1c6d7004d182b79
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60703
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Authentication/AbstractUserAuthentication.php

index 6d42bff..f76f940 100644 (file)
@@ -793,14 +793,14 @@ abstract class AbstractUserAuthentication implements LoggerAwareInterface
                     $logData = [
                         'loginData' => $loginData
                     ];
-                    $this->logger->warning('Login failed', $logData);
+                    $this->logger->debug('Login failed', $logData);
                 }
                 if (!empty($tempuserArr)) {
                     $logData = [
                         $this->userid_column => $tempuser[$this->userid_column],
                         $this->username_column => $tempuser[$this->username_column],
                     ];
-                    $this->logger->warning('Login failed', $logData);
+                    $this->logger->debug('Login failed', $logData);
                 }
             }
         }