Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • typo3 typo3
  • Project information
    • Project information
    • Activity
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
    • Locked Files
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Insights
    • Issue
    • Repository
  • Activity
  • Graph
  • Jobs
  • Commits
Collapse sidebar
  • typo3
  • typo3typo3
  • Repository
Switch branch/tag
  • typo3
  • typo3
  • sysext
  • core
  • Classes
  • Error
  • AbstractExceptionHandler.php
Find file BlameHistoryPermalink
  • Torben Hansen's avatar
    [SECURITY] Do not log stacktrace in exception handlers · c93ea692
    Torben Hansen authored Jun 14, 2022 and Oliver Hader's avatar Oliver Hader committed Jun 14, 2022
    When a TYPO3 exception is handled through registered exception
    handlers, log writers may log sensitive information to logs,
    since the full stacktrace is logged.
    
    With this change, exception handlers that extend
    AbstractExceptionHandler except DebugExceptionHandler will
    by default not include the exception object any more and
    thereby not log the full stacktrace.
    
    Resolves: #96866
    Releases: main, 11.5, 10.4
    Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0
    Security-Bulletin: TYPO3-CORE-SA-2022-002
    Security-References: CVE-2022-31047
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74903
    
    Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    c93ea692