[
https://issues.apache.org/jira/browse/TAP5-2768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17784331#comment-17784331
]
Hudson commented on TAP5-2768:
------------------------------
FAILURE: Integrated in Jenkins build Tapestry ยป tapestry-java-19-freestyle #33
(See
[https://ci-builds.apache.org/job/Tapestry/job/tapestry-java-19-freestyle/33/])
TAP5-2768: DefaultRequestExceptionHandler doesn't leak error msg if prod (ben:
rev 2c61207ce41150b16cb4dd4ca96efd06c60cf1e9)
* (edit)
tapestry-core/src/main/java/org/apache/tapestry5/internal/services/DefaultRequestExceptionHandler.java
> DefaultRequestExceptionHandler shouldn't send Exception message in production
> -----------------------------------------------------------------------------
>
> Key: TAP5-2768
> URL: https://issues.apache.org/jira/browse/TAP5-2768
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.8.3
> Reporter: Ben Weidig
> Assignee: Ben Weidig
> Priority: Minor
> Fix For: 5.8.4
>
>
> The {{DefaultRequestExceptionHandler}} shouldn't write the actual Exception
> message to the Request header {{X-Tapestry-ErrorMessage}} in production mode.
> Instead, a generic "An error occurred." should be used, as the message
> exposes app internals.
> The client-side code in {{ajax.coffee}} only uses the header detecting if an
> error occurred and logging it to {{console.error}}, so its actual value is
> irrelevant.
> Omitting the header completely would mean reworking {{ajax.coffee}}, as the
> header indicates that the response might contain HTML content for the
> exception frame.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
