ZF-12038: Zend_Auth_Adapter_Ldap shows passwords with more than 15 characters in stacktrace

Issue Type: Patch Created: 2012-02-02T19:19:45.000+0000 Last Updated: 2012-02-03T08:43:04.000+0000 Status: Resolved Fix version(s): - 1.11.12 (22/Jun/12)

  • 1.12.0 (27/Aug/12)
  • Next Major Release ()

Reporter: Andreas Tetzl (andreas_t) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Auth_Adapter_Ldap

Related issues: Attachments:


Zend_Auth_Adapter_Ldap masks passwords in the stacktrace with *****.

Example: bq. Zend/Auth/Adapter/Ldap.php(316): Zend_Ldap->bind('username@exampl...', {color:red}'*****'{color})

With passwords longer than 15 characters, the first 15 characters show up in the stacktrace.

Example with password "abcdefghijklmnop": bq. Zend/Auth/Adapter/Ldap.php(316): Zend_Ldap->bind('username@exampl...', {color:red}'abcdefghijklmno...'{color})

This happens because PHP truncates function arguments to 15 characters in stacktrace, see Zend/zend_exceptions.c:529 of PHP source.

My fix is to truncate the password to 15 characters before replacing it with *****.

This is related to #ZF-11839 but not fixed there.

Patch for Zend/Auth/Adapter/Ldap.php: {quote} 374c374

< $messages[] = preg_replace('/\b'.preg_quote($password, '/').'\b/', '*****', $zle->getTraceAsString());

$messages[] = preg_replace('/\b'.preg_quote(substr($password, 0, 15), '/').'\b/', '*****', $zle->getTraceAsString());


Example script: {quote} require_once "Zend/Auth/Adapter/Ldap.php"; require_once "Zend/Auth.php";

$options = array( 'server1' => array( 'host' => "", 'username' => "cn=user,dc=example,dc=com", 'password' => "password", 'bindRequiresDn' => true, 'accountDomainName' => "", 'baseDn' => "o=user,dc=example,dc=com", ), );

$username = "username";

// Short password $password = "abcdefghijklmno";

$adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password); $auth = Zend_Auth::getInstance();
$result = $auth->authenticate($adapter);


// Long password (16 characters)

$password = "abcdefghijklmnop"; $adapter = new Zend_Auth_Adapter_Ldap($options, $username, $password); $auth = Zend_Auth::getInstance();
$result = $auth->authenticate($adapter);




Posted by Stefan Gehrig (sgehrig) on 2012-02-03T08:43:04.000+0000

Fixed in ZF1 trunk, ZF1 1.11-branch and issued pull request for ZF2

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.