From 47e4c111df1358e0432d8bb2df109bbaf279a779 Mon Sep 17 00:00:00 2001
From: Kairat Jenishev <kairat.jenishev@gmail.com>
Date: Thu, 12 Dec 2024 22:59:52 +0600
Subject: [PATCH] Update documentation and annotation related to `$maskVars`
 property #20295

---
 docs/guide/runtime-logging.md | 10 ++++++++--
 framework/log/Target.php      |  5 +++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/docs/guide/runtime-logging.md b/docs/guide/runtime-logging.md
index 041150abd2c..7bccee119c1 100644
--- a/docs/guide/runtime-logging.md
+++ b/docs/guide/runtime-logging.md
@@ -217,14 +217,20 @@ Or if you want to implement your own way of providing context information, you m
 [[yii\log\Target::getContextMessage()]] method.
 
 In case some of your request fields contain sensitive information you would not like to log (e.g. passwords, access tokens),
-you may additionally configure `maskVars` property. By default, the following request parameters will be masked with `***`:
+you may additionally configure `maskVars` property, which can contain both exact values and (case-insensitive) patterns. By default,
+the following request parameters will be masked with `***`:
 `$_SERVER[HTTP_AUTHORIZATION]`, `$_SERVER[PHP_AUTH_USER]`, `$_SERVER[PHP_AUTH_PW]`, but you can set your own:
 
 ```php
 [
     'class' => 'yii\log\FileTarget',
     'logVars' => ['_SERVER'],
-    'maskVars' => ['_SERVER.HTTP_X_PASSWORD']
+    'maskVars' => [
+        '_SERVER.HTTP_X_PASSWORD',
+        '_SERVER.*_SECRET', // matches all ending with "_SECRET"
+        '_SERVER.SECRET_*', // matches all starting with "SECRET_"
+        '_SERVER.*SECRET*', // matches all containing "SECRET"
+    ]
 ]
 ```
 
diff --git a/framework/log/Target.php b/framework/log/Target.php
index 8e87160c496..a56d9efbf00 100644
--- a/framework/log/Target.php
+++ b/framework/log/Target.php
@@ -92,6 +92,11 @@ abstract class Target extends Component
      * - `var` - `var` will be logged as `***`
      * - `var.key` - only `var[key]` will be logged as `***`
      *
+     * In addition, this property accepts (case-insensitive) patterns. For example:
+     * - `_SERVER.*_SECRET` matches all ending with `_SECRET`, such as `$_SERVER['TOKEN_SECRET']` etc.
+     * - `_SERVER.SECRET_*` matches all starting with `SECRET_`, such as `$_SERVER['SECRET_TOKEN']` etc.
+     * - `_SERVER.*SECRET*` matches all containing `SECRET` i.e. both of the above.
+     *
      * @since 2.0.16
      */
     public $maskVars = [