Commit c93ea692 authored by Torben Hansen's avatar Torben Hansen Committed by Oliver Hader
Browse files

[SECURITY] Do not log stacktrace in exception handlers

When a TYPO3 exception is handled through registered exception
handlers, log writers may log sensitive information to logs,
since the full stacktrace is logged.

With this change, exception handlers that extend
AbstractExceptionHandler except DebugExceptionHandler will
by default not include the exception object any more and
thereby not log the full stacktrace.

Resolves: #96866
Releases: main, 11.5, 10.4
Change-Id: Iaf233eefc9a1a60334a47753baf457e8282e68c0
Security-Bulletin: TYPO3-CORE-SA-2022-002
Security-References: CVE-2022-31047

Tested-by: Oliver Hader's avatarOliver Hader <>
Reviewed-by: Oliver Hader's avatarOliver Hader <>
parent 7447a3d1
......@@ -40,6 +40,8 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
const CONTEXT_WEB = 'WEB';
const CONTEXT_CLI = 'CLI';
protected bool $logExceptionStackTrace = false;
1396795884, // Current host header value does not match the configured trusted hosts pattern
1581862822, // Failed HMAC validation due to modified __trustedProperties in extbase property mapping
......@@ -98,7 +100,7 @@ abstract class AbstractExceptionHandler implements ExceptionHandlerInterface, Si
'line' => $exception->getLine(),
'message' => $exception->getMessage(),
'request_url' => $requestUrl,
'exception' => $exception,
'exception' => $this->logExceptionStackTrace ? $exception : null,
} catch (\Exception $exception) {
......@@ -26,6 +26,8 @@ use TYPO3\CMS\Core\Information\Typo3Information;
class DebugExceptionHandler extends AbstractExceptionHandler
protected bool $logExceptionStackTrace = true;
* Constructs this exception handler - registers itself as the default exception handler.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment