Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.6.8

Request #3839 Debug output printing password
Submitted: 2005-03-16 04:43 UTC
From: jausions Assigned:
Status: Wont fix Package: Payment_Process
PHP Version: Irrelevant OS: Irrelevant
Roadmaps: (Not assigned)    
Comments Add Comment Add patch

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem : 40 - 34 = ?

 [2005-03-16 04:43 UTC] jausions
Description: ------------ The debug output dangerously prints out the password (if set) to the payment gateway (at least for Authorize.Net processor). For security reasons, I strongly recommend to hide the password value from all debug output (and maybe have a "super" debug mode, where password would then be printed.) I can easily imagine a debug output lingering in a web browser's cache... Passwords to payment gateway, is certainly something you don't want to display very often... -Philippe Reproduce code: --------------- in Payment_Process_Common <?php /** * Hides the password in the debug output * * @param array $data * @return array filtered password in data * @access protected */ function _hidePasswordOnDebug($data) { if (isset($data['password'])) { $data['password'] = '[*********]'; } if (isset($data[$this->_fieldMap['password']])) { $data[$this->_fieldMap['password']] = '[*********]'; } return $data; } ?> and then change the debug print_r to: <?php print_r($this->_hidePasswordOnDebug($this->_data)); ?>


 [2005-03-22 16:38 UTC] jausions
Additionally, the test for debug mode spits out "undefined index" warnings when the option is not set in the array... -Philippe
 [2005-07-07 23:24 UTC] jstump
For now we've removed all debugging code. We're moving to using PEAR's Log package (see Payment_Process::accept() and Payment_Process::log() in CVS). If you're logging to a file this becomes a moot point (or a database). Also, what's the big deal of outputting the password to the screen when you should be a.) testing on a dev box before pushing to production and b.) this all is ran via an SSL enabled page :) At any rate, this bug is irrelevant now that we're moving towards PEAR's Log.