7bed81812d
Fix a potential exploit where private information could be leaked if
it was contained in the error message of an unexpected exception.
For example, NoMethodError contains a raw dump of the object in the
error message, which could leak private user data if you could force a
User object to raise a NoMethodError.
Fix the error page to only show known-safe error messages from expected
exceptions, not unknown error messages from unexpected exceptions.
API changes:
* JSON errors now have a `message` param. The message will be blank for unknown exceptions.
* XML errors have a new format. This is a breaking change. They now look like this:
<result>
<success type="boolean">false</success>
<error>PaginationExtension::PaginationError</error>
<message>You cannot go beyond page 5000.</message>
<backtrace type="array">
<backtrace>app/logical/pagination_extension.rb:54:in `paginate'</backtrace>
<backtrace>app/models/application_record.rb:17:in `paginate'</backtrace>
<backtrace>app/logical/post_query_builder.rb:529:in `paginated_posts'</backtrace>
<backtrace>app/logical/post_sets/post.rb:95:in `posts'</backtrace>
<backtrace>app/controllers/posts_controller.rb:22:in `index'</backtrace>
</backtrace>
</result>
instead of like this:
<result success="false">You cannot go beyond page 5000.</result>
20 lines
451 B
Plaintext
20 lines
451 B
Plaintext
<% page_title "Error: #{@exception.class}" %>
|
|
|
|
<h1>Error</h1>
|
|
|
|
<% if @message.present? %>
|
|
<p><%= @message %></p>
|
|
<% else %>
|
|
<p>Unexpected error: <%= @exception.class %>.</p>
|
|
|
|
<h3>Details</h3>
|
|
|
|
<ul class="backtrace font-monospace p-4 mb-4">
|
|
<li><%= @exception.class.to_s %> exception raised</li>
|
|
|
|
<% Rails.backtrace_cleaner.clean(@backtrace).each do |b| %>
|
|
<li class="backtrace-line"><%= b %></li>
|
|
<% end %>
|
|
</ul>
|
|
<% end %>
|