Potential security issue

[am4rth]

If the ChainRouter does not find a match it throws a exception in which the request object is dumped as a string

Routing/src/ChainRouter.php

Line 177 in d1e3ba5

? "this request\n$request"

This can have security implications as all headers of the request (including Authorization-Header) are dumped in the exception. If this exception is logged or stored somewhere it can leak sensitive information or enable third parties access to private information.

Proposal: only add the requested method and path to the exception message

[dbu]

thanks for reporting this issue. you are right, there is the risk of leaking sensitive information into logs.

matching can happen on other things than the path and method. i think we should adjust the message a bit to not lead people to only look at the path and be confused.

do you have time to propose a pull request?

[am4rth]

I will try to write a fix in the next couple of weeks :)