-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.3.0 rest call error messages became worse #21132
Comments
Thanks for the report. Unfortunately, without some more context it's hard to be certain about the problem that you're describing. Making an educated guess, assuming that you're referring to the default error controller's output and that you're using 2.3.0 snapshots, this may be due to #20505. Can you please clarify? |
Hmm... don't know about 'default error page'. 2.2.6:
2.3.0:
|
okay. got it...
shows old behaviour. |
What's the idea behind that change? |
Exception messages can leak implementation details. In your example above, you have leaked the fact that the server is using Java and that the value is being parsed into a UUID. Depending on the circumstances and the information that is being leaked, this could allow an attacker to identify a vulnerability that they can exploit. #20505 is already labelled as noteworthy so the change will be describe in the release notes for 2.3.0.RC1. |
Version 2.2.6 gives useful error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe
(not found)->
"Kunde not found" (the text used in eception)
/kunde-api/kunden/123
(no UUID)->
"Failed to convert value of type 'java.lang.String' to required type 'java.util.UUID'; nested exception is java.lang.IllegalArgumentException: Invalid UUID string: 123" (out-of-the-box)
Version 2.3.0 gives worse error-messages
/kunde-api/kunden/bf73ce21-f91b-4619-8891-1b4b471db3fe
(not found)->
"An error occurred while processing the request" (so, what's the problem here??)
/kunde-api/kunden/123
(no UUID)->
"An error occurred while processing the request" (so, what's the problem here??)
The text was updated successfully, but these errors were encountered: