This is an automated email from the ASF dual-hosted git repository.
benw pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tapestry-5.git
The following commit(s) were added to refs/heads/master by this push:
new 2c61207ce TAP5-2768: DefaultRequestExceptionHandler doesn't leak error
msg if prod
2c61207ce is described below
commit 2c61207ce41150b16cb4dd4ca96efd06c60cf1e9
Author: Ben Weidig <b...@netzgut.net>
AuthorDate: Thu Nov 9 08:52:49 2023 +0100
TAP5-2768: DefaultRequestExceptionHandler doesn't leak error msg if prod
---
.../services/DefaultRequestExceptionHandler.java | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git
a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/DefaultRequestExceptionHandler.java
b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/DefaultRequestExceptionHandler.java
index dc823ac59..497b94bd4 100644
---
a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/DefaultRequestExceptionHandler.java
+++
b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/DefaultRequestExceptionHandler.java
@@ -266,13 +266,21 @@ public class DefaultRequestExceptionHandler implements
RequestExceptionHandler
response.setStatus(statusCode);
- String rawMessage = ExceptionUtils.toMessage(exception);
+ // TAP5-2768: Don't leak Exception details to client in production mode
+ String headerValue = null;
+ if (productionMode)
+ {
+ headerValue = "An error occurred.";
+ } else
+ {
+ String rawMessage = ExceptionUtils.toMessage(exception);
- // Encode it compatibly with the JavaScript escape() function.
+ // Encode it compatibly with the JavaScript escape() function.
- String encoded = URLEncoder.encode(rawMessage, "UTF-8").replace("+",
"%20");
+ headerValue = URLEncoder.encode(rawMessage, "UTF-8").replace("+",
"%20");
+ }
- response.setHeader("X-Tapestry-ErrorMessage", encoded);
+ response.setHeader("X-Tapestry-ErrorMessage", headerValue);
Page page = pageCache.get(pageName);
