Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exceptions on AJAX requests display sensitive information #14711

Closed
TobyGiacometti opened this issue Aug 23, 2017 · 6 comments
Closed

Exceptions on AJAX requests display sensitive information #14711

TobyGiacometti opened this issue Aug 23, 2017 · 6 comments
Assignees
Milestone

Comments

@TobyGiacometti
Copy link

What steps will reproduce the problem?

Throw an exception anywhere in your code, make sure that YII_DEBUG is off and that you do not have a custom error action (ErrorHandler::$errorAction) configured:

throw new \yii\base\Exception('Exception message with possibly sensitive information.');

Now make an AJAX request to the page that throws the exception and make sure that the response format is set to Response::FORMAT_HTML.

What is the expected result?

Response text: <pre>An internal server error occurred.</pre>

What do you get instead?

Response text: <pre>Exception message with possibly sensitive information.</pre>

Additional info

Q A
Yii version 2.0.9
PHP version 7.0.21
Operating system Linux

I haven't had a chance to test this with the newest Yii2 version but checked the code inside yii\web\ErrorHandler::renderException() quickly and it looks like it will lead to the same problem.

@samdark samdark self-assigned this Aug 23, 2017
@samdark samdark added severity:security status:to be verified Needs to be reproduced and validated. labels Aug 23, 2017
@samdark samdark added this to the 2.0.13 milestone Aug 23, 2017
@samdark
Copy link
Member

samdark commented Aug 28, 2017

How's your custom error action implemented? I've tried reproducing it but is getting only "Exception: An internal server error occurred."

@TobyGiacometti
Copy link
Author

Hey @samdark, thanks for having a look! I am actually not using a custom error action. It is important that no custom error action is configured, otherwise the problem cannot be reproduced. Might be that this was fixed in a more recent Yii version, but the problem code still seems to be in place:

$response->data = '<pre>' . $this->htmlEncode(static::convertExceptionToString($exception)) . '</pre>';

I will also try out a more recent Yii version to see if I can reproduce there as well...

@samdark
Copy link
Member

samdark commented Aug 29, 2017

Thanks. Please check with latest release version and, if it's still there, with code from master branch.

It would help to know how exactly your application is configured in terms of error handler, how exactly AJAX request is sent and where/how did you set response format is to Response::FORMAT_HTML.

@samdark samdark modified the milestones: 2.0.14, 2.0.13 Aug 30, 2017
@TobyGiacometti
Copy link
Author

I have just tried this with 2.0.13.1 and the issue still happens.

Check my comment #14711 (comment). The line referenced there is responsible for this issue. Specifically, on AJAX requests when returning HTML, the error handler converts the exception to a string which then contains sensitive information.

Regarding my application configuration: I do not have any configuration for the errorHandler component set, so everything is set to default. The response format is not specifically set, I just use \yii\web\Controller and a method call in there throws an exception. The reason why I mentioned the response format: if response format is not set to Response::FORMAT_HTML, we do not end up on the line referenced in my comment above and no sensitive data gets printed.

@TobyGiacometti
Copy link
Author

Awesome, thanks @samdark!

@SilverFire
Copy link
Member

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants