Remove redundant/potentially sensitive @backtrace_string from log message

Taking the liberty of upgrading this to major, as this can potentially leak sensitive information to Sentry, as Exception::getTraceAsString() includes string parameters in the backtrace.

I've re-rolled against the latest version and taken further liberty in removing the configuration option. As far as I can tell, Sentry/Raven always produces their own backtrace, which can be configured to include parameter values or not, so the backtrace in the message is redundant and fills up the issue page at Sentry pushing the nicer looking native backtrace down.

No interdiff as 3326662-3 doesn't apply to HEAD.

I don't really like forcibly messing with everyone's $message and $context, but I'd agree it's simpler and safer to remove it without adding configuration.

It looks like in core, @backtrace_string appears as %type: @message in %function (line %line of %file) @backtrace_string. so how about removing the string @backtrace_string such that the end result would be %type: @message in %function (line %line of %file).?

By the way, as a workaround for this issue, you should be able to enable zend.exception_ignore_args in your php environment to ignore args completely, or set zend.exception_string_param_max_len to zero.

Fixed the str_replace() to remove the space before period and tweaked the comment a bit.

@mfb

Nice, but there's a related problem: the feature that collects log messages produced in the request and add them to the issue still get the old trace. The PHP options that you mention should be able to take care of this, but it means that this fix is half baked. Should it (and can we) clean the log messages too? If the PHP options is needed to clean the log messages this fix is sorta redundant. I think raven should either fix both, or instruct users to set the options instead.

@Xen there is already code that cleans the stacktrace. Although likely it's not good enough - I tested it quite some time ago with stacktraces for exceptions, but need to verify it works, and maybe it doesn't work on other events (php warnings, etc. have one too, provided by drupal core, and sentry creates one for events that don't otherwise have one)

If you have a chance maybe you can open a new issue with reproduce code.

Automatically closed - issue fixed for 2 weeks with no activity.

Sorry for the late response, I've had some issues with notifications.

I've updated to the latest version and I'll see how it looks.

@Xen see also 📌 RemoveExceptionFrameVarsIntegration could also remove function calling args from event stacktrace added by Sentry SDK Fixed