[ErrorRenderer] Security fix: hide sensitive error messages
This commit is contained in:
parent
05f7f4e147
commit
d7d7f22dbe
@ -70,6 +70,6 @@ class JsonLoginTest extends AbstractWebTestCase
|
||||
|
||||
$this->assertSame(400, $response->getStatusCode());
|
||||
$this->assertSame('application/json', $response->headers->get('Content-Type'));
|
||||
$this->assertSame(['title' => 'Bad Request', 'status' => 400, 'detail' => 'Invalid JSON.'], json_decode($response->getContent(), true));
|
||||
$this->assertSame(['title' => 'Bad Request', 'status' => 400], json_decode($response->getContent(), true));
|
||||
}
|
||||
}
|
||||
|
@ -43,9 +43,9 @@ class JsonErrorRenderer implements ErrorRendererInterface
|
||||
$content = [
|
||||
'title' => $exception->getTitle(),
|
||||
'status' => $exception->getStatusCode(),
|
||||
'detail' => $exception->getMessage(),
|
||||
];
|
||||
if ($debug) {
|
||||
$content['detail'] = $exception->getMessage();
|
||||
$content['exceptions'] = $exception->toArray();
|
||||
}
|
||||
|
||||
|
@ -41,9 +41,10 @@ class TxtErrorRenderer implements ErrorRendererInterface
|
||||
$debug = $this->debug && ($exception->getHeaders()['X-Debug'] ?? true);
|
||||
$content = sprintf("[title] %s\n", $exception->getTitle());
|
||||
$content .= sprintf("[status] %s\n", $exception->getStatusCode());
|
||||
$content .= sprintf("[detail] %s\n", $exception->getMessage());
|
||||
|
||||
if ($debug) {
|
||||
$content .= sprintf("[detail] %s\n", $exception->getMessage());
|
||||
|
||||
foreach ($exception->toArray() as $i => $e) {
|
||||
$content .= sprintf("[%d] %s: %s\n", $i + 1, $e['class'], $e['message']);
|
||||
foreach ($e['trace'] as $trace) {
|
||||
|
@ -42,12 +42,14 @@ class XmlErrorRenderer implements ErrorRendererInterface
|
||||
{
|
||||
$debug = $this->debug && ($exception->getHeaders()['X-Debug'] ?? true);
|
||||
$title = $this->escapeXml($exception->getTitle());
|
||||
$message = $this->escapeXml($exception->getMessage());
|
||||
$statusCode = $this->escapeXml($exception->getStatusCode());
|
||||
$charset = $this->escapeXml($this->charset);
|
||||
|
||||
$exceptions = '';
|
||||
$message = '';
|
||||
if ($debug) {
|
||||
$message = '<detail>'.$this->escapeXml($exception->getMessage()).'</detail>';
|
||||
|
||||
$exceptions .= '<exceptions>';
|
||||
foreach ($exception->toArray() as $e) {
|
||||
$exceptions .= sprintf('<exception class="%s" message="%s"><traces>', $e['class'], $this->escapeXml($e['message']));
|
||||
@ -71,7 +73,7 @@ class XmlErrorRenderer implements ErrorRendererInterface
|
||||
<problem xmlns="urn:ietf:rfc:7807">
|
||||
<title>{$title}</title>
|
||||
<status>{$statusCode}</status>
|
||||
<detail>{$message}</detail>
|
||||
{$message}
|
||||
{$exceptions}
|
||||
</problem>
|
||||
EOF;
|
||||
|
@ -56,8 +56,7 @@ TXT
|
||||
$this->assertSame(<<<TXT
|
||||
{
|
||||
"title": "Internal Server Error",
|
||||
"status": 500,
|
||||
"detail": "This is a sample exception."
|
||||
"status": 500
|
||||
}
|
||||
|
||||
TXT
|
||||
|
@ -44,8 +44,7 @@ JSON;
|
||||
$expectedNonDebug = <<<JSON
|
||||
{
|
||||
"title": "Internal Server Error",
|
||||
"status": 500,
|
||||
"detail": "Foo"
|
||||
"status": 500
|
||||
}
|
||||
JSON;
|
||||
|
||||
|
@ -39,7 +39,6 @@ TXT;
|
||||
$expectedNonDebug = <<<TXT
|
||||
[title] Internal Server Error
|
||||
[status] 500
|
||||
[detail] Foo
|
||||
TXT;
|
||||
|
||||
yield '->render() returns the TXT content WITH stack traces in debug mode' => [
|
||||
|
@ -43,7 +43,7 @@ XML;
|
||||
<problem xmlns="urn:ietf:rfc:7807">
|
||||
<title>Internal Server Error</title>
|
||||
<status>500</status>
|
||||
<detail>Foo</detail>
|
||||
|
||||
|
||||
</problem>
|
||||
XML;
|
||||
|
@ -61,7 +61,7 @@ class ErrorControllerTest extends TestCase
|
||||
$request,
|
||||
FlattenException::createFromThrowable(new \Exception('foo')),
|
||||
500,
|
||||
'{"title": "Internal Server Error","status": 500,"detail": "foo"}',
|
||||
'{"title": "Internal Server Error","status": 500}',
|
||||
];
|
||||
|
||||
$request = new Request();
|
||||
@ -70,7 +70,7 @@ class ErrorControllerTest extends TestCase
|
||||
$request,
|
||||
FlattenException::createFromThrowable(new HttpException(405, 'Invalid request.')),
|
||||
405,
|
||||
'{"title": "Method Not Allowed","status": 405,"detail": "Invalid request."}',
|
||||
'{"title": "Method Not Allowed","status": 405}',
|
||||
];
|
||||
|
||||
$request = new Request();
|
||||
@ -79,7 +79,7 @@ class ErrorControllerTest extends TestCase
|
||||
$request,
|
||||
FlattenException::createFromThrowable(new HttpException(405, 'Invalid request.')),
|
||||
405,
|
||||
'{"title": "Method Not Allowed","status": 405,"detail": "Invalid request."}',
|
||||
'{"title": "Method Not Allowed","status": 405}',
|
||||
];
|
||||
|
||||
$request = new Request();
|
||||
|
Reference in New Issue
Block a user