fix: treat text app session parameters as sensitive values
* `PublicSessionController create` receives a share token.
* The others receive the parameters for a text session:
`document_id`, `session_id`, `session_token`.
Even though these are relatively short lived
they could be used to retrieve content from the document when leaked.
Signed-off-by: Max <max@nextcloud.com>
fix(ExceptionSerializer): encode arguments before filtering the trace
This will avoid running into a Nesting level too deep error as the
encodeArg calls will limit potential recursive calls on the arguments to
a nesting level of 5
Signed-off-by: Julius Härtl <jus@bitgrid.net>
It was only logged when an exception was provided or when using
logData (which is not being much used).
We make sure the interpolated parameters are not logged.
Only tested with file write logger, but shouldn't work differently.
Crash reporters always had the context.
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
Set a maximum level of encoding nested arguments of exception traces
This will make sure that nested objects or arrays do not cause exceeding
the maximum nesting level of functions when parsing arguments of an
exception trace
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Applies the suggested transformation mentioned in
https://www.php.net/manual/en/migration80.incompatible.php,
> The @ operator will no longer silence fatal errors (E_ERROR,
> E_CORE_ERROR, E_COMPILE_ERROR, E_USER_ERROR, E_RECOVERABLE_ERROR,
> E_PARSE). Error handlers that expect error_reporting to be 0 when
> @ is used, should be adjusted to use a mask check instead
The new code still works on PHP 7, as error_reporting() already
returns 0 when diagnostics are suppressed.
This fixes https://github.com/nextcloud/server/issues/25807 in PHP 8.0.
For PHP 7.x, https://github.com/nextcloud/server/pull/22243 suppresses
the E_NOTICE message from the second session_start() call with the error
suppression operator @, and thus those E_NOTICE messages are still
logged in PHP 8.0.
See also https://github.com/nextcloud/server/issues/25806
Signed-off-by: Chih-Hsuan Yen <yan12125@gmail.com>
In some cases it might happen that you have an argument that deep down
somewhere has an array with a lot of entries (think thousands). Now
before we would just happily print them all. Which would fill the log.
Now it will just print the first 5. And add a line that there are N
more.
If you are on debug level we will still print them all.
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Format control structures, classes, methods and function
To continue this formatting madness, here's a tiny patch that adds
unified formatting for control structures like if and loops as well as
classes, their methods and anonymous functions. This basically forces
the constructs to start on the same line. This is not exactly what PSR2
wants, but I think we can have a few exceptions with "our" style. The
starting of braces on the same line is pracrically standard for our
code.
This also removes and empty lines from method/function bodies at the
beginning and end.
Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>