From d909040e78fca0daf42f706ddc37528f1a0bfc6d Mon Sep 17 00:00:00 2001
From: John Maguire <jmaguire@duosecurity.com>
Date: Tue, 1 Aug 2017 17:36:58 -0400
Subject: [PATCH] Remove sensitive data from logs during LDAP filters

---
 modules/ldap/lib/Auth/Process/BaseFilter.php  | 12 +++++++++--
 .../ldap/lib/Auth/Process/BaseFilterTest.php  | 20 +++++++++++++++++++
 2 files changed, 30 insertions(+), 2 deletions(-)
 create mode 100644 tests/modules/ldap/lib/Auth/Process/BaseFilterTest.php

diff --git a/modules/ldap/lib/Auth/Process/BaseFilter.php b/modules/ldap/lib/Auth/Process/BaseFilter.php
index 2b6d5ba2b..f05e80b06 100644
--- a/modules/ldap/lib/Auth/Process/BaseFilter.php
+++ b/modules/ldap/lib/Auth/Process/BaseFilter.php
@@ -280,7 +280,7 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce
             ' Referrals: ' . ($referrals ? 'Yes' : 'No') .
             ' Timeout: ' . $timeout .
             ' Username: ' . $username .
-            ' Password: ' . str_repeat('*', strlen($password))
+            ' Password: ' . (empty($password) ? '' : '********')
         );
 
         // Connect to the LDAP server to be queried during processing
@@ -300,8 +300,16 @@ abstract class sspmod_ldap_Auth_Process_BaseFilter extends SimpleSAML_Auth_Proce
      * @param mixed $value
      * @return string
      */
-    protected function var_export($value)
+    public function var_export($value)
     {
+        // Remove sensitive data
+        foreach ($value as $key => &$val) {
+            if ($key === 'ldap.password') {
+                $val = empty($val) ? '' : '********';
+            }
+        }
+        unset($val);
+
         $export = var_export($value, true);
         $lines = explode("\n", $export);
         foreach ($lines as &$line) {
diff --git a/tests/modules/ldap/lib/Auth/Process/BaseFilterTest.php b/tests/modules/ldap/lib/Auth/Process/BaseFilterTest.php
new file mode 100644
index 000000000..fba76ec46
--- /dev/null
+++ b/tests/modules/ldap/lib/Auth/Process/BaseFilterTest.php
@@ -0,0 +1,20 @@
+<?php
+
+class sspmod_ldap_Auth_Process_BaseFilter_Test extends PHPUnit_Framework_TestCase
+{
+    public function testVarExportHidesLdapPassword()
+    {
+        $stub = $this->getMockBuilder('sspmod_ldap_Auth_Process_BaseFilter')
+            ->disableOriginalConstructor()
+            ->getMockForAbstractClass();
+
+        $this->assertEquals(
+            "array ( 'ldap.hostname' => 'ldap://172.17.101.32', 'ldap.port' => 389, 'ldap.password' => '********', )",
+            $stub->var_export(array(
+                'ldap.hostname' => 'ldap://172.17.101.32',
+                'ldap.port' => 389,
+                'ldap.password' => 'password',
+            ))
+        );
+    }
+}
-- 
GitLab