Security issue: Token exposed when trying to create already used hostname

[asterix11]

Steps to reproduce:

1. Create a hostname by calling https://ddns.pboehm.de/new/ [hostname]
2. Try to create the same hostname again

The token is exposed within the error message:
{"error":"This hostname has already been registered. \u0026{<hostname (ommited)> 127.0.0.1 <token (ommited)>}"}

[pboehm]

Hi asterix11,

thank you for letting me know about this horrible bug. I will fix this problem right now and will let you know if it has been fixed.

Thank you very much

[pboehm]

@asterix11 This has been fixed by ffe0092 and the fix is already rolled out to ddns.pboehm.de which no longer exposes host information in error message.

After reading through all the frontend API endpoints, I have no idea why the host information are included in the specific error message. It was probably some debug mechanism during early development which should have never been commited.

I will add a notice to the README that points to this error and urges users of ddns to update their installations.

Thank you for disclosing this horrible bug

[pboehm]

This bug has been introduced in the rework, which was released 14 days ago.

The legacy version (using the PowerDNS Pipe Backend) is not affected.

[asterix11]

@pboehm Thank you for your very fast reaction, i very appreciate your commitment.

[asterix11]

From my side this issue can be closed.