2.3.0 rest call error messages became worse #21132
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the report. Unfortunately, without some more context it's hard to be certain about the problem that you're describing. Making an educated guess, assuming that you're referring to the default error controller's output and that you're using 2.3.0 snapshots, this may be due to #20505. Can you please clarify? |
wilkinsona
added
the
status: waiting-for-feedback
|
Hmm... don't know about 'default error page'. 2.2.6: 2.3.0: |
spring-projects-issues
added
status: feedback-provided
|
okay. got it... shows old behaviour. |
|
What's the idea behind that change? |
|
Exception messages can leak implementation details. In your example above, you have leaked the fact that the server is using Java and that the value is being parsed into a UUID. Depending on the circumstances and the information that is being leaked, this could allow an attacker to identify a vulnerability that they can exploit. #20505 is already labelled as noteworthy so the change will be describe in the release notes for 2.3.0.RC1. |
wilkinsona
added
status: declined
Version 2.2.6 gives useful error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe(not found)->
"Kunde not found" (the text used in eception)
/kunde-api/kunden/123(no UUID)->
"Failed to convert value of type 'java.lang.String' to required type 'java.util.UUID'; nested exception is java.lang.IllegalArgumentException: Invalid UUID string: 123" (out-of-the-box)
Version 2.3.0 gives worse error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe(not found)->
"An error occurred while processing the request" (so, what's the problem here??)
/kunde-api/kunden/123(no UUID)->
"An error occurred while processing the request" (so, what's the problem here??)
The text was updated successfully, but these errors were encountered: