summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--HISTORY1
-rw-r--r--framework/Exceptions/TErrorHandler.php45
2 files changed, 43 insertions, 3 deletions
diff --git a/HISTORY b/HISTORY
index 9aaa8e29..8a2138da 100644
--- a/HISTORY
+++ b/HISTORY
@@ -3,6 +3,7 @@ BUG: Issue#98 - Missing file in quickstart demo (Chrisotphe)
BUG: Issue#117 - Consider TValidationSummary.DisplayMode="HeaderOnly" if TValidationSummary.ShowMessageBox is set (Yves)
BUG: Issue#164 - CultureInfo::validCulture should be declared as a static method (Christophe)
BUG: Issue#168 - TSqlMapXmlConfiguration: CacheModel properties are not set (Yves)
+ENH: Issue#174 - TErrorHandler: HTTP error messages contains sensitive information (Yves)
ENH: Issue#175 - TBulletedList: Introduce TBulletStyle::None (Yves)
ENH: TAssetManager: introduce protected property "Published" to allow subclasses access (Yves)
ENH: TFirePhpLogRoute: bypass to TBrowserLogRoute if headers already sent / php.ini (output_buffering=Off, implicit_flush=On) (Yves)
diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php
index fa8e6d4a..3b5927d6 100644
--- a/framework/Exceptions/TErrorHandler.php
+++ b/framework/Exceptions/TErrorHandler.php
@@ -139,6 +139,33 @@ class TErrorHandler extends TModule
}
}
+
+ /**
+ * @param string $value
+ * @param Exception|null$exception
+ * @return string
+ * @since 3.1.6
+ */
+ protected static function hideSecurityRelated($value, $exception=null)
+ {
+ $aRpl = array();
+ if($exception !== null && $exception instanceof Exception)
+ {
+ $aTrace = $exception->getTrace();
+ foreach($aTrace as $item)
+ {
+ $file = $item['file'];
+ $aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
+ }
+ }
+ $aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}';
+ $aRpl[str_replace('/', DIRECTORY_SEPARATOR, $_SERVER['DOCUMENT_ROOT'])] = '${DocumentRoot}';
+ $aRpl[PRADO_DIR . DIRECTORY_SEPARATOR] = '${PradoFramework}' . DIRECTORY_SEPARATOR;
+ $aRpl = array_reverse($aRpl, true);
+
+ return str_replace(array_keys($aRpl), $aRpl, $value);
+ }
+
/**
* Displays error to the client user.
* THttpException and errors happened when the application is in <b>Debug</b>
@@ -154,18 +181,30 @@ class TErrorHandler extends TModule
$content=$this->getErrorTemplate($statusCode,$exception);
$serverAdmin=isset($_SERVER['SERVER_ADMIN'])?$_SERVER['SERVER_ADMIN']:'';
- if($this->getApplication()->getMode()===TApplicationMode::Debug)
+
+ $isDebug = $this->getApplication()->getMode()===TApplicationMode::Debug;
+
+ $errorMessage = $exception->getMessage();
+ if($isDebug)
$version=$_SERVER['SERVER_SOFTWARE'].' <a href="http://www.pradosoft.com/">PRADO</a>/'.Prado::getVersion();
else
+ {
$version='';
+ $errorMessage = self::hideSecurityRelated($errorMessage, $exception);
+ }
$tokens=array(
'%%StatusCode%%' => "$statusCode",
- '%%ErrorMessage%%' => htmlspecialchars($exception->getMessage()),
+ '%%ErrorMessage%%' => htmlspecialchars($errorMessage),
'%%ServerAdmin%%' => $serverAdmin,
'%%Version%%' => $version,
'%%Time%%' => @strftime('%Y-%m-%d %H:%M',time())
);
- header("HTTP/1.0 $statusCode ".$exception->getMessage());
+
+ if($isDebug)
+ header("HTTP/1.0 $statusCode ".$exception->getMessage(), true, $statusCode);
+ else
+ header("HTTP/1.0 $statusCode", true, $statusCode);
+
echo strtr($content,$tokens);
}