[ErrorRenderer] Security fix: hide sensitive error messages

dunglas · yceruto · commit d7d7f22dbe2e · 2019-10-28T19:37:55.000-04:00
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/JsonLoginTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/JsonLoginTest.php
@@ -70,6 +70,6 @@ public function testDefaultJsonLoginBadRequest()
 
         $this->assertSame(400, $response->getStatusCode());
         $this->assertSame('application/json', $response->headers->get('Content-Type'));
-        $this->assertSame(['title' => 'Bad Request', 'status' => 400, 'detail' => 'Invalid JSON.'], json_decode($response->getContent(), true));
+        $this->assertSame(['title' => 'Bad Request', 'status' => 400], json_decode($response->getContent(), true));
     }
 }
diff --git a/src/Symfony/Component/ErrorRenderer/ErrorRenderer/JsonErrorRenderer.php b/src/Symfony/Component/ErrorRenderer/ErrorRenderer/JsonErrorRenderer.php
@@ -43,9 +43,9 @@ public function render(FlattenException $exception): string
         $content = [
             'title' => $exception->getTitle(),
             'status' => $exception->getStatusCode(),
-            'detail' => $exception->getMessage(),
         ];
         if ($debug) {
+            $content['detail'] = $exception->getMessage();
             $content['exceptions'] = $exception->toArray();
         }
 
diff --git a/src/Symfony/Component/ErrorRenderer/ErrorRenderer/TxtErrorRenderer.php b/src/Symfony/Component/ErrorRenderer/ErrorRenderer/TxtErrorRenderer.php
@@ -41,9 +41,10 @@ public function render(FlattenException $exception): string
         $debug = $this->debug && ($exception->getHeaders()['X-Debug'] ?? true);
         $content = sprintf("[title] %s\n", $exception->getTitle());
         $content .= sprintf("[status] %s\n", $exception->getStatusCode());
-        $content .= sprintf("[detail] %s\n", $exception->getMessage());
 
         if ($debug) {
+            $content .= sprintf("[detail] %s\n", $exception->getMessage());
+
             foreach ($exception->toArray() as $i => $e) {
                 $content .= sprintf("[%d] %s: %s\n", $i + 1, $e['class'], $e['message']);
                 foreach ($e['trace'] as $trace) {
diff --git a/src/Symfony/Component/ErrorRenderer/ErrorRenderer/XmlErrorRenderer.php b/src/Symfony/Component/ErrorRenderer/ErrorRenderer/XmlErrorRenderer.php
@@ -42,12 +42,14 @@ public function render(FlattenException $exception): string
     {
         $debug = $this->debug && ($exception->getHeaders()['X-Debug'] ?? true);
         $title = $this->escapeXml($exception->getTitle());
-        $message = $this->escapeXml($exception->getMessage());
         $statusCode = $this->escapeXml($exception->getStatusCode());
         $charset = $this->escapeXml($this->charset);
 
         $exceptions = '';
+        $message = '';
         if ($debug) {
+            $message = '<detail>'.$this->escapeXml($exception->getMessage()).'</detail>';
+
             $exceptions .= '<exceptions>';
             foreach ($exception->toArray() as $e) {
                 $exceptions .= sprintf('<exception class="%s" message="%s"><traces>', $e['class'], $this->escapeXml($e['message']));
@@ -71,7 +73,7 @@ public function render(FlattenException $exception): string
 <problem xmlns="urn:ietf:rfc:7807">
     <title>{$title}</title>
     <status>{$statusCode}</status>
-    <detail>{$message}</detail>
+    {$message}
     {$exceptions}
 </problem>
 EOF;
diff --git a/src/Symfony/Component/ErrorRenderer/Tests/Command/DebugCommandTest.php b/src/Symfony/Component/ErrorRenderer/Tests/Command/DebugCommandTest.php
@@ -56,8 +56,7 @@ public function testFormatArgument()
         $this->assertSame(<<<TXT
 {
     "title": "Internal Server Error",
-    "status": 500,
-    "detail": "This is a sample exception."
+    "status": 500
 }
 
 TXT
diff --git a/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/JsonErrorRendererTest.php b/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/JsonErrorRendererTest.php
@@ -44,8 +44,7 @@ public function getRenderData(): iterable
         $expectedNonDebug = <<<JSON
 {
     "title": "Internal Server Error",
-    "status": 500,
-    "detail": "Foo"
+    "status": 500
 }
 JSON;
 
diff --git a/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/TxtErrorRendererTest.php b/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/TxtErrorRendererTest.php
@@ -39,7 +39,6 @@ public function getRenderData(): iterable
         $expectedNonDebug = <<<TXT
 [title] Internal Server Error
 [status] 500
-[detail] Foo
 TXT;
 
         yield '->render() returns the TXT content WITH stack traces in debug mode' => [
diff --git a/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/XmlErrorRendererTest.php b/src/Symfony/Component/ErrorRenderer/Tests/ErrorRenderer/XmlErrorRendererTest.php
@@ -43,7 +43,7 @@ public function getRenderData(): iterable
 <problem xmlns="urn:ietf:rfc:7807">
     <title>Internal Server Error</title>
     <status>500</status>
-    <detail>Foo</detail>
+    
     
 </problem>
 XML;
diff --git a/src/Symfony/Component/HttpKernel/Tests/Controller/ErrorControllerTest.php b/src/Symfony/Component/HttpKernel/Tests/Controller/ErrorControllerTest.php
@@ -61,7 +61,7 @@ public function getInvokeControllerDataProvider()
             $request,
             FlattenException::createFromThrowable(new \Exception('foo')),
             500,
-            '{"title": "Internal Server Error","status": 500,"detail": "foo"}',
+            '{"title": "Internal Server Error","status": 500}',
         ];
 
         $request = new Request();
@@ -70,7 +70,7 @@ public function getInvokeControllerDataProvider()
             $request,
             FlattenException::createFromThrowable(new HttpException(405, 'Invalid request.')),
             405,
-            '{"title": "Method Not Allowed","status": 405,"detail": "Invalid request."}',
+            '{"title": "Method Not Allowed","status": 405}',
         ];
 
         $request = new Request();
@@ -79,7 +79,7 @@ public function getInvokeControllerDataProvider()
             $request,
             FlattenException::createFromThrowable(new HttpException(405, 'Invalid request.')),
             405,
-            '{"title": "Method Not Allowed","status": 405,"detail": "Invalid request."}',
+            '{"title": "Method Not Allowed","status": 405}',
         ];
 
         $request = new Request();

Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,6 @@ public function testDefaultJsonLoginBadRequest()`
`70`	`70`
`71`	`71`	`$this->assertSame(400, $response->getStatusCode());`
`72`	`72`	`$this->assertSame('application/json', $response->headers->get('Content-Type'));`
`73`		`- $this->assertSame(['title' => 'Bad Request', 'status' => 400, 'detail' => 'Invalid JSON.'], json_decode($response->getContent(), true));`
	`73`	`+ $this->assertSame(['title' => 'Bad Request', 'status' => 400], json_decode($response->getContent(), true));`
`74`	`74`	`}`
`75`	`75`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,8 +56,7 @@ public function testFormatArgument()`
`56`	`56`	`$this->assertSame(<<<TXT`
`57`	`57`	`{`
`58`	`58`	`"title": "Internal Server Error",`
`59`		`- "status": 500,`
`60`		`- "detail": "This is a sample exception."`
	`59`	`+ "status": 500`
`61`	`60`	`}`
`62`	`61`
`63`	`62`	`TXT`
Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,7 @@ public function getRenderData(): iterable`
`44`	`44`	`$expectedNonDebug = <<<JSON`
`45`	`45`	`{`
`46`	`46`	`"title": "Internal Server Error",`
`47`		`- "status": 500,`
`48`		`- "detail": "Foo"`
	`47`	`+ "status": 500`
`49`	`48`	`}`
`50`	`49`	`JSON;`
`51`	`50`