Details
-
Bug
-
Resolution: Fixed
-
Medium
-
1.13.5, 2.5.8
-
[3.0] - Sprint 22
Description
When the API encounters an error, it leaks the full path to the file where it occurred, in addition to class/namespace and error explanation. This is not a direct threat, but is useful information for an attacker looking for attack vectors. (Fixing it is a form of Security By Obscurity, but that is not a bad thing in itself, as long as we don't rely on it alone.)
The full path should not be shown in prod mode, possibly not the other info either. The safest is a generic "An error has occurred", with a short text about how this can be reported to the site owner. Legit end users won't see this anyway, afaik.
Test
curl -H "Authorization: Basic Y29tZWNvOnByZXZpZXc=" \ -H "X-HTTP-Method-Override: PATCH" \ -H "Content-Type: application/vnd.ez.api.Content+xml" \ -X POST http://127.0.0.1:8000/api/ezp/v2/content/objects/2102
Prod result
<?xml version="1.0" encoding="UTF-8"?> <ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml"><errorCode>500</errorCode><errorMessage>Internal Server Error</errorMessage><errorDescription>Type error: Argument 1 passed to eZ\Publish\Core\REST\Common\Input\ParsingDispatcher::parse() must be of the type array, null given, called in /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Dispatcher.php on line 113</errorDescription></ErrorMessage>
Dev result
<?xml version="1.0" encoding="UTF-8"?> <ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml"> <errorCode>500</errorCode> <errorMessage>Internal Server Error</errorMessage> <errorDescription>Warning: DOMDocument::loadXML(): Empty string supplied as input</errorDescription> <trace>#0 /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Dispatcher.php(99): eZ\Publish\Core\REST\Common\Input\Handler\Xml->convert('') #1 /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Server/Controller/Content.php(122): eZ\Publish\Core\REST\Common\Input\Dispatcher->parse(Object(eZ\Publish\Core\REST\Common\Message)) #2 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(151): eZ\Publish\Core\REST\Server\Controller\Content->updateContentMetadata('2102', Object(Symfony\Component\HttpFoundation\Request)) #3 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1) #4 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php(200): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true) #5 /home/gl/git/ezplatform/web/app.php(72): Symfony\Component\HttpKernel\Kernel->handle(Object(Symfony\Component\HttpFoundation\Request)) #6 /home/gl/git/ezplatform/web/app_dev.php(22): require('/home/gl/git/ez...') #7 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Bundle/WebServerBundle/Resources/router.php(42): require('/home/gl/git/ez...') #8 {main}</trace> <file>/home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Handler/Xml.php</file> <line>95</line> </ErrorMessage>