Sort:  
  • Trending
    • [-]
     3 years ago  

    Thanks for your contribution to the STEMsocial community. Feel free to join us on discord to get to know the rest of us!

    Please consider delegating to the @stemsocial account (85% of the curation rewards are returned).

    You may also include @stemsocial as a beneficiary of the rewards of this post to get a stronger support. 
     

    $0.00
      Reply
      [-]
       3 years ago  

      As an addendum, thank you to the Symfony docs folks who have already addressed the highlighted issue and updated their Logging documentation accordingly.

      $0.00
        Reply
        [-]
         3 years ago  

        https://reddit.com/r/PHP/comments/11k2o6i/on_the_use_of_psr3_placeholders/
        The rewards earned on this comment will go directly to the people sharing the post on Reddit as long as they are registered with @poshtoken. Sign up at https://hiveposh.com.

        $0.00
          Reply
          [-]
           3 years ago  

          And now Laravel has updated their configuration to default new projects to interpolating PSR-3 placeholders, too!

          $0.00
            Reply
            [-]
             3 years ago  

            The Laravel docs have now also been updated accordingly!

            $0.00
              Reply
              [-]
               last year  

              Thanks for pointing that out! I was indeed using PSR-3 loggers incorrectly without knowing it. However, I don't understand how placeholders reduce the security risk.

              User supplied data should be sanitised anyway, whether used directly in the log message (which I now know is wrong) or in the context array. What am I missing?

              Or is it meant to not sanitise user supplied data and persist whatever comes (including malicious stuff) and let the part of the software that displays the logs and interpolates the placeholders take care of the risk?

              $0.00
                Reply