BlueScreen: In CLI mode is php_info() output corrupted (and XSS vulnerable)

[jakubboucek]

Version: v2.7.5 - master

Bug Description

In CLI mode is BlueScreen renders output of phpinfo() corrupted (section Environment » Configuration options » Configuration).

\Tracy\BlueScreen expects the phpinfo() function returns HTML formatted output, but in CLI mode is output ASCII formatted plaintext.

Because ASCII format is based oh white-spaces, in HTML is these output broken and shloud be wrapped with <pre></pre> tags.

Here is one Security aspect too: \Tracy\BlueScreen expect the values in phpinfo() escpaped for HTML context, but plaintext variant is raw. That's make real XSS vulnerability.

Related code:

tracy/src/Tracy/BlueScreen/assets/content.phtml

Lines 268 to 273 in d85f267

	<h3><a data-tracy-ref="^+" class="tracy-toggle tracy-collapsed">Configuration options</a></h3>
	<div class="outer tracy-collapsed">
	<?php ob_start(); @phpinfo(INFO_CONFIGURATION | INFO_MODULES); $phpinfo = ob_get_clean(); // @ phpinfo can be disabled
	$phpinfo = str_replace('<table', '<table class="tracy-sortable"', $phpinfo);
	echo preg_replace('#^.+<body>|</body>.+\z#s', '', $phpinfo) ?>
	</div>

Steps To Reproduce

mkdir test
cd test
composer require tracy/tracy

Create cli.php:

<?php
declare(strict_types=1);

require __DIR__ . '/vendor/autoload.php';

\Tracy\Debugger::enable(\Tracy\Debugger::PRODUCTION, __DIR__);
throw new \Exception;

Call PHP file via CLI:

php cli.php

In directory is creted BlueScreen dump, look to section Environment » Configuration options » Configuration, here is corrupted output of phpinfo().

Expected Behavior

Render output asi preformatted text, sanitized to prevent XSS.

I will maybe later prepare PR.

[jakubboucek]

Díky!