Security: Internal exception messages are returned to clients#4634
Security: Internal exception messages are returned to clients#4634tomaioo wants to merge 1 commit into
Conversation
The base controller returns raw exception messages in HTTP responses (`['message' => $e->getMessage()]`). If exception text contains internal details (query context, identifiers, stack-related hints), this can expose sensitive implementation information to attackers. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
|
Which messages would you classify as dangerous? |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
2 participants
Summary
Security: Internal exception messages are returned to clients
Problem
Severity:
Low| File:lib/Controller/BaseController.php:L47The base controller returns raw exception messages in HTTP responses (
['message' => $e->getMessage()]). If exception text contains internal details (query context, identifiers, stack-related hints), this can expose sensitive implementation information to attackers.Solution
Return generic user-facing error messages and log detailed exception information server-side only. Map known exceptions to stable, sanitized error codes/messages.
Changes
lib/Controller/BaseController.php(modified)