From 5eca5a71c6d3ce82bb15bce57a06f7d84b011c8f Mon Sep 17 00:00:00 2001 From: "godzilla80@gmx.net" <> Date: Sun, 7 Jun 2009 12:31:01 +0000 Subject: Fixed Issue#174 - TErrorHandler: HTTP error messages contains sensitive information --- framework/Exceptions/TErrorHandler.php | 45 +++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 3 deletions(-) (limited to 'framework/Exceptions') diff --git a/framework/Exceptions/TErrorHandler.php b/framework/Exceptions/TErrorHandler.php index fa8e6d4a..3b5927d6 100644 --- a/framework/Exceptions/TErrorHandler.php +++ b/framework/Exceptions/TErrorHandler.php @@ -139,6 +139,33 @@ class TErrorHandler extends TModule } } + + /** + * @param string $value + * @param Exception|null$exception + * @return string + * @since 3.1.6 + */ + protected static function hideSecurityRelated($value, $exception=null) + { + $aRpl = array(); + if($exception !== null && $exception instanceof Exception) + { + $aTrace = $exception->getTrace(); + foreach($aTrace as $item) + { + $file = $item['file']; + $aRpl[dirname($file) . DIRECTORY_SEPARATOR] = '' . DIRECTORY_SEPARATOR; + } + } + $aRpl[$_SERVER['DOCUMENT_ROOT']] = '${DocumentRoot}'; + $aRpl[str_replace('/', DIRECTORY_SEPARATOR, $_SERVER['DOCUMENT_ROOT'])] = '${DocumentRoot}'; + $aRpl[PRADO_DIR . DIRECTORY_SEPARATOR] = '${PradoFramework}' . DIRECTORY_SEPARATOR; + $aRpl = array_reverse($aRpl, true); + + return str_replace(array_keys($aRpl), $aRpl, $value); + } + /** * Displays error to the client user. * THttpException and errors happened when the application is in Debug @@ -154,18 +181,30 @@ class TErrorHandler extends TModule $content=$this->getErrorTemplate($statusCode,$exception); $serverAdmin=isset($_SERVER['SERVER_ADMIN'])?$_SERVER['SERVER_ADMIN']:''; - if($this->getApplication()->getMode()===TApplicationMode::Debug) + + $isDebug = $this->getApplication()->getMode()===TApplicationMode::Debug; + + $errorMessage = $exception->getMessage(); + if($isDebug) $version=$_SERVER['SERVER_SOFTWARE'].' PRADO/'.Prado::getVersion(); else + { $version=''; + $errorMessage = self::hideSecurityRelated($errorMessage, $exception); + } $tokens=array( '%%StatusCode%%' => "$statusCode", - '%%ErrorMessage%%' => htmlspecialchars($exception->getMessage()), + '%%ErrorMessage%%' => htmlspecialchars($errorMessage), '%%ServerAdmin%%' => $serverAdmin, '%%Version%%' => $version, '%%Time%%' => @strftime('%Y-%m-%d %H:%M',time()) ); - header("HTTP/1.0 $statusCode ".$exception->getMessage()); + + if($isDebug) + header("HTTP/1.0 $statusCode ".$exception->getMessage(), true, $statusCode); + else + header("HTTP/1.0 $statusCode", true, $statusCode); + echo strtr($content,$tokens); } -- cgit v1.2.3