Fix regression that discloses file path in some errors #1280
Conversation
vboctor
force-pushed
the
error_handler_path_disclosure
branch
from
2e3701c
to
67e28b5
Compare
This was introduced as part of refactoring error handler and it happens with some errors even when show_detailed_errors is set to OFF. Fixes #23925
vboctor
force-pushed
the
error_handler_path_disclosure
branch
from
67e28b5
to
d5d85f1
Compare
core/error_api.php
Outdated
| @@ -247,11 +247,16 @@ function error_handler( $p_type, $p_error, $p_file, $p_line, array $p_context ) | |||
|
|
|||
| $t_error_description = nl2br( $t_error_description ); | |||
|
|
|||
| # Make sure the file path is not disclosed via exception details | |||
| $t_error_description = str_replace( config_get_global( 'absolute_path' ), '.../', $t_error_description ); | |||
There was a problem hiding this comment.
we have
define ('DIRECTORY_SEPARATOR', "/");
$g_absolute_path = dirname( __FILE__ ) . DIRECTORY_SEPARATOR;
Can't check myself at the moment, did you try if it works on Windows?
Should the path be removed if ON == config_get_global( 'show_detailed_errors' )?
There was a problem hiding this comment.
I initially had the code to only show the path when show_detailed_errors is ON. But I then removed this code since I think it is not worth having the extra checks. The real value is the relative path.
I don't have a Windows environment setup at the moment.
There was a problem hiding this comment.
I can test on Windows when I'm in the office on Monday.
|
I'm also concerned about the robustness of the proposed str_replace()-based solution. It works for sure on unix-like environments with a standard MantisBT installation, but what about the case where the admin customized the folder locations in config_inc.php ? Regardless of the directory separator, there are bound to be cases where a simple replacement won't do the trick. I thought about using the IMO, PHP errors are not meant to be displayed to end users; I believe it would be preferable and safer to display a generic error, while writing the actual message and stack trace in the system log - at least when $g_show_detailed_errors = OFF. |
|
Will look into having our exception displayed, but PHP exceptions or exceptions that didn't originate from Mantis show a generic message (e.g. internal error, while logging the proper error). If show detailed errors is ON, then we will always show exception. Will refine the approach as I look further on the code. Will remove path replacement. |
This reverts commit d5d85f1.
|
Cheers. Please note that I will probably not have the opportunity to review/test your revised fix until tomorrow evening (~22:00 CET) as I won't be at home the whole day. I'll do my best to do it as soon as possible, so you can release 2.11 as planned, but if I can't manage I'd rather postpone the release by a few days. |
|
I have implemented an alternative fix which:
|
There was a problem hiding this comment.
Note: I only tested from the GUI, not from SOAP or REST API.
Sorry to insist, but I really think that when $g_show_detailed_errors is ON, we should provide the error message in the GUI as a convenience to administrators and developers, as per patch below.
Other review comments follow.
diff --git a/core/error_api.php b/core/error_api.php
index b0c1517..265fd5a 100644
--- a/core/error_api.php
+++ b/core/error_api.php
@@ -175,6 +175,8 @@ function error_handler( $p_type, $p_error, $p_file, $p_line, array $p_context )
}
}
+ $t_show_detailed_errors = config_get_global( 'show_detailed_errors' ) == ON;
+
# Force errors to use HALT method.
if( $p_type == E_USER_ERROR || $p_type == E_ERROR || $p_type == E_RECOVERABLE_ERROR ) {
$t_method = DISPLAY_ERROR_HALT;
@@ -203,12 +205,15 @@ function error_handler( $p_type, $p_error, $p_file, $p_line, array $p_context )
case E_USER_ERROR:
if( $p_error == ERROR_PHP ) {
$t_error_type = 'INTERNAL APPLICATION ERROR';
- $t_error_description = '';
global $g_exception;
- $t_stack_as_string = error_stack_track_as_string();
- $t_error_to_log = $g_exception->getMessage() . "\n" . $t_stack_as_string;
+ $t_error_description = $g_exception->getMessage();
+ $t_error_to_log = $t_error_description . "\n" . error_stack_track_as_string();
error_log( $t_error_to_log );
+
+ if( !$t_show_detailed_errors ) {
+ $t_error_description = '';
+ }
} else {
$t_error_type = 'APPLICATION ERROR #' . $p_error;
$t_error_description = error_string( $p_error );
@@ -259,7 +264,7 @@ function error_handler( $p_type, $p_error, $p_file, $p_line, array $p_context )
if( DISPLAY_ERROR_NONE != $t_method ) {
echo $t_error_type . ': ' . $t_error_description . "\n";
- if( ON == config_get_global( 'show_detailed_errors' ) ) {
+ if( $t_show_detailed_errors ) {
echo "\n";
error_print_stack_trace();
}
@@ -342,7 +347,7 @@ function error_handler( $p_type, $p_error, $p_file, $p_line, array $p_context )
}
echo '</div>';
- if( ON == config_get_global( 'show_detailed_errors' ) ) {
+ if( $t_show_detailed_errors ) {
echo '<p>';
error_print_details( $p_file, $p_line, $p_context );
echo '</p>';
api/rest/index.php
Outdated
| $t_error_to_log = $p_exception->getMessage() . "\n" . $t_stack_as_string; | ||
| error_log( $t_error_to_log ); | ||
|
|
||
| return $p_response->withStatus( HTTP_STATUS_INTERNAL_SERVER_ERROR )->withJson( $t_data ); |
There was a problem hiding this comment.
Is it normal to return ->withJson( $t_data ) which still contains the exception's message ?
There was a problem hiding this comment.
Changed code to include it only if show detailed errors is ON.
core/error_api.php
Outdated
| */ | ||
| function error_print_stack_trace() { | ||
| $t_stack = error_stack_trace(); | ||
| function error_stack_track_as_string( $p_exception = null ) { |
There was a problem hiding this comment.
Should be error_stack_trace_as_string, no ?
core/error_api.php
Outdated
| $t_stack = error_stack_trace( $p_exception ); | ||
|
|
||
| if( php_sapi_name() == 'cli' ) { | ||
| echo error_stack_track_as_string( $p_exception ); |
core/error_api.php
Outdated
| * @param Exception|null $p_exception The exception to print stack trace for. Null will check last seen exception. | ||
| */ | ||
| function error_print_stack_trace( $p_exception = null ) { | ||
| $t_stack = error_stack_trace( $p_exception ); |
There was a problem hiding this comment.
Move that assignment after the cli test, just before the foreach loop
core/error_api.php
Outdated
| $t_stack = error_stack_trace( $p_exception ); | ||
|
|
||
| if( php_sapi_name() == 'cli' ) { | ||
| echo error_stack_track_as_string( $p_exception ); | ||
| return; | ||
| } | ||
|
|
There was a problem hiding this comment.
The comment # remove the call to the error handler from the stack trace (a few lines down from here) looks like a leftover from older code which should probably be removed.
|
@dregad thanks for the review. I applied all your review comments. Let me know if all looks good. |
|
Looks good, but I didn't test in depth the behavior from the API. |
This was introduced as part of refactoring error handler and it happens with some errors even when show_detailed_errors is set to OFF.
Fixes #23925