New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exceptions on AJAX requests display sensitive information #14711
Comments
|
How's your custom error action implemented? I've tried reproducing it but is getting only "Exception: An internal server error occurred." |
|
Hey @samdark, thanks for having a look! I am actually not using a custom error action. It is important that no custom error action is configured, otherwise the problem cannot be reproduced. Might be that this was fixed in a more recent Yii version, but the problem code still seems to be in place: yii2/framework/web/ErrorHandler.php Line 106 in d68789a
I will also try out a more recent Yii version to see if I can reproduce there as well... |
|
Thanks. Please check with latest release version and, if it's still there, with code from master branch. It would help to know how exactly your application is configured in terms of error handler, how exactly AJAX request is sent and where/how did you set response format is to |
|
I have just tried this with 2.0.13.1 and the issue still happens. Check my comment #14711 (comment). The line referenced there is responsible for this issue. Specifically, on AJAX requests when returning HTML, the error handler converts the exception to a string which then contains sensitive information. Regarding my application configuration: I do not have any configuration for the |
|
Awesome, thanks @samdark! |
What steps will reproduce the problem?
Throw an exception anywhere in your code, make sure that
YII_DEBUGis off and that you do not have a custom error action (ErrorHandler::$errorAction) configured:Now make an AJAX request to the page that throws the exception and make sure that the response format is set to
Response::FORMAT_HTML.What is the expected result?
Response text:
<pre>An internal server error occurred.</pre>What do you get instead?
Response text:
<pre>Exception message with possibly sensitive information.</pre>Additional info
I haven't had a chance to test this with the newest Yii2 version but checked the code inside
yii\web\ErrorHandler::renderException()quickly and it looks like it will lead to the same problem.The text was updated successfully, but these errors were encountered: