Skip to content

fix(sec-010): strip C++ source paths from exception messages#141

Merged
s2x merged 1 commit into
mainfrom
feat/sec-010-verbose-errors
May 30, 2026
Merged

fix(sec-010): strip C++ source paths from exception messages#141
s2x merged 1 commit into
mainfrom
feat/sec-010-verbose-errors

Conversation

@s2x

@s2x s2x commented May 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Add verboseErrors parameter to ZVec::init() to control error detail disclosure. When verboseErrors=false (default), ZVecException omits file/line/function properties, preventing internal path leakage to end users.

Also strip __FILE__ to basename in MAKE_STATUS macro via strrchr() to reduce information disclosure even in verbose mode.

Changes

  • src/ZVec.php: Add private static bool $verboseErrors = false and bool $verboseErrors = false parameter to init(). Modify checkStatus() to conditionally include file/line/function based on $verboseErrors.
  • ffi/zvec_ffi.cc: Add strip_path() helper that uses strrchr() to extract basename. Update MAKE_STATUS and SET_FFI_ERROR macros to use strip_path(__FILE__).
  • tests/test_error_details.phpt: Updated to use verboseErrors: true since this test specifically verifies error detail availability.
  • New tests: test_verbose_errors_default.phpt, test_verbose_errors_enabled.phpt, test_verbose_errors_path_stripped.phpt

Security Impact

Before: ZVecException: collection path not exist in /home/forge/php-zvec/ffi/zvec_ffi.cc:560 in function zvec_collection_open
After: ZVecException: collection path not exist (default)

Closes

Closes #78

@s2x s2x force-pushed the feat/sec-010-verbose-errors branch from 39f7603 to 43f71a3 Compare May 30, 2026 07:00
Add verboseErrors parameter to ZVec::init() to control error detail
disclosure. When verboseErrors=false (default), ZVecException omits
file/line/function properties, preventing internal path leakage.

Also strip __FILE__ to basename in MAKE_STATUS macro via strrchr()
to reduce information disclosure even in verbose mode.

Closes #78
@s2x s2x force-pushed the feat/sec-010-verbose-errors branch from 43f71a3 to ffba918 Compare May 30, 2026 07:04
@s2x s2x merged commit 25d7340 into main May 30, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

SEC-010: C++ Source Paths Leaked in Exception Messages

1 participant