From 5eca5a71c6d3ce82bb15bce57a06f7d84b011c8f Mon Sep 17 00:00:00 2001
From: "godzilla80@gmx.net" <>
Date: Sun, 7 Jun 2009 12:31:01 +0000
Subject: Fixed Issue#174 - TErrorHandler: HTTP error messages contains
 sensitive information

---
 framework/Exceptions/TErrorHandler.php | 45 +++++++++++++++++++++++++++++++---
 1 file changed, 42 insertions(+), 3 deletions(-)

(limited to 'framework/Exceptions/TErrorHandler.php')

diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php
index fa8e6d4a..3b5927d6 100644
--- a/framework/Exceptions/TErrorHandler.php
+++ b/framework/Exceptions/TErrorHandler.php
@@ -139,6 +139,33 @@ class TErrorHandler extends TModule
 		}
 	}
 
+
+	/**
+	 * @param string $value
+	 * @param Exception|null$exception
+	 * @return string
+	 * @since 3.1.6
+	 */
+	protected static function hideSecurityRelated($value, $exception=null)
+	{
+		$aRpl = array();
+		if($exception !== null && $exception instanceof Exception)
+		{
+			$aTrace = $exception->getTrace();
+			foreach($aTrace as $item)
+			{
+				$file = $item['file'];
+				$aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '<hidden>' . DIRECTORY_SEPARATOR;
+			}
+		}
+		$aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}';
+		$aRpl[str_replace('/', DIRECTORY_SEPARATOR, $_SERVER['DOCUMENT_ROOT'])] = '${DocumentRoot}';
+		$aRpl[PRADO_DIR . DIRECTORY_SEPARATOR] = '${PradoFramework}' . DIRECTORY_SEPARATOR;
+		$aRpl = array_reverse($aRpl, true);
+
+		return str_replace(array_keys($aRpl), $aRpl, $value);
+	}
+
 	/**
 	 * Displays error to the client user.
 	 * THttpException and errors happened when the application is in <b>Debug</b>
@@ -154,18 +181,30 @@ class TErrorHandler extends TModule
 		$content=$this->getErrorTemplate($statusCode,$exception);
 
 		$serverAdmin=isset($_SERVER['SERVER_ADMIN'])?$_SERVER['SERVER_ADMIN']:'';
-		if($this->getApplication()->getMode()===TApplicationMode::Debug)
+
+		$isDebug = $this->getApplication()->getMode()===TApplicationMode::Debug;
+
+		$errorMessage = $exception->getMessage();
+		if($isDebug)
 			$version=$_SERVER['SERVER_SOFTWARE'].' <a href="http://www.pradosoft.com/">PRADO</a>/'.Prado::getVersion();
 		else
+		{
 			$version='';
+			$errorMessage = self::hideSecurityRelated($errorMessage, $exception);
+		}
 		$tokens=array(
 			'%%StatusCode%%' => "$statusCode",
-			'%%ErrorMessage%%' => htmlspecialchars($exception->getMessage()),
+			'%%ErrorMessage%%' => htmlspecialchars($errorMessage),
 			'%%ServerAdmin%%' => $serverAdmin,
 			'%%Version%%' => $version,
 			'%%Time%%' => @strftime('%Y-%m-%d %H:%M',time())
 		);
-		header("HTTP/1.0 $statusCode ".$exception->getMessage());
+
+		if($isDebug)
+			header("HTTP/1.0 $statusCode ".$exception->getMessage(), true, $statusCode);
+		else
+			header("HTTP/1.0 $statusCode", true, $statusCode);
+
 		echo strtr($content,$tokens);
 	}
 
-- 
cgit v1.2.3