Issues

ZF-12038: Zend_Auth_Adapter_Ldap shows passwords with more than 15 characters in stacktrace

Description

Zend_Auth_Adapter_Ldap masks passwords in the stacktrace with *****.

Example: bq. Zend/Auth/Adapter/Ldap.php(316): Zend_Ldap->bind('username@exampl...', {color:red}'*****'{color})

With passwords longer than 15 characters, the first 15 characters show up in the stacktrace.

Example with password "abcdefghijklmnop": bq. Zend/Auth/Adapter/Ldap.php(316): Zend_Ldap->bind('username@exampl...', {color:red}'abcdefghijklmno...'{color})

This happens because PHP truncates function arguments to 15 characters in stacktrace, see Zend/zend_exceptions.c:529 of PHP source.

My fix is to truncate the password to 15 characters before replacing it with *****.

This is related to #ZF-11839 but not fixed there.

Patch for Zend/Auth/Adapter/Ldap.php: {quote} 374c374

< $messages[] = preg_replace('/\b'.preg_quote($password, '/').'\b/', '*****', $zle->getTraceAsString());

                $messages[] = preg_replace('/\b'.preg_quote(substr($password, 0, 15), '/').'\b/', '*****', $zle->getTraceAsString());

{quote}

Example script: {quote} require_once "Zend/Auth/Adapter/Ldap.php"; require_once "Zend/Auth.php";

$options = array( 'server1' => array( 'host' => "ldap.example.com", 'username' => "cn=user,dc=example,dc=com", 'password' => "password", 'bindRequiresDn' => true, 'accountDomainName' => "example.com", 'baseDn' => "o=user,dc=example,dc=com", ), );

$username = "username";

// Short password $password = "abcdefghijklmno";

$adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password); $auth = Zend_Auth::getInstance();
$result = $auth->authenticate($adapter);

print_r($result->getMessages());

// Long password (16 characters)

$password = "abcdefghijklmnop"; $adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password); $auth = Zend_Auth::getInstance();
$result = $auth->authenticate($adapter);

print_r($result->getMessages());

{quote}

Comments

Fixed in ZF1 trunk, ZF1 1.11-branch and issued pull request for ZF2