The plain user password might appear in the log messages in case of an error (#1590)

CHANGELOG.md

@@ -20,6 +20,7 @@ developers to maintain and readjust their custom modifications on the main proje
 - Fix ICS file mimetype (#1630)
 - Incorrect Timezone Handling in CalDAV Synchronization Causes Time Shifts (#1626)
 - No color change in the appointment modal window (in the backend calendar) (#1641)
+- The plain user password might appear in the log messages in case of an error (#1590)
 
 
 

application/helpers/http_helper.php

@@ -136,11 +136,13 @@ if (!function_exists('json_exception')) {
         $response = [
             'success' => false,
             'message' => $e->getMessage(),
-            'trace' => config('debug') ? $e->getTrace() : [],
+            'trace' => trace($e),
         ];
 
         log_message('error', 'JSON exception: ' . json_encode($response));
 
+        unset($response['trace']); // Do not send the trace to the browser as it might contain sensitive info
+
         json_response($response, 500);
     }
 }
@@ -171,3 +173,19 @@ if (!function_exists('abort')) {
         show_error($message, $code);
     }
 }
+
+if (!function_exists('trace')) {
+    /**
+     * Prepare a well formatted string for an exception
+     *
+     * @param Throwable $e
+     *
+     * @return string
+     */
+    function trace(Throwable $e): string
+    {
+        return get_class($e) .
+            " '{$e->getMessage()}' in {$e->getFile()}({$e->getLine()})\n" .
+            "{$e->getTraceAsString()}";
+    }
+}