Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-31298

API errors leak path information

    XMLWordPrintable

    Details

    • Sprint:
      [3.0] - Sprint 22

      Description

      When the API encounters an error, it leaks the full path to the file where it occurred, in addition to class/namespace and error explanation. This is not a direct threat, but is useful information for an attacker looking for attack vectors. (Fixing it is a form of Security By Obscurity, but that is not a bad thing in itself, as long as we don't rely on it alone.)

      The full path should not be shown in prod mode, possibly not the other info either. The safest is a generic "An error has occurred", with a short text about how this can be reported to the site owner. Legit end users won't see this anyway, afaik.

      Test

      curl -H "Authorization: Basic Y29tZWNvOnByZXZpZXc=" \
           -H "X-HTTP-Method-Override: PATCH" \
           -H "Content-Type: application/vnd.ez.api.Content+xml" \
           -X POST http://127.0.0.1:8000/api/ezp/v2/content/objects/2102
      

      Prod result

      <?xml version="1.0" encoding="UTF-8"?>
      <ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml"><errorCode>500</errorCode><errorMessage>Internal Server Error</errorMessage><errorDescription>Type error: Argument 1 passed to eZ\Publish\Core\REST\Common\Input\ParsingDispatcher::parse() must be of the type array, null given, called in /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Dispatcher.php on line 113</errorDescription></ErrorMessage>
      

      Dev result

      <?xml version="1.0" encoding="UTF-8"?>
      <ErrorMessage media-type="application/vnd.ez.api.ErrorMessage+xml">
       <errorCode>500</errorCode>
       <errorMessage>Internal Server Error</errorMessage>
       <errorDescription>Warning: DOMDocument::loadXML(): Empty string supplied as input</errorDescription>
       <trace>#0 /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Dispatcher.php(99): eZ\Publish\Core\REST\Common\Input\Handler\Xml-&gt;convert('')
      #1 /home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Server/Controller/Content.php(122): eZ\Publish\Core\REST\Common\Input\Dispatcher-&gt;parse(Object(eZ\Publish\Core\REST\Common\Message))
      #2 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(151): eZ\Publish\Core\REST\Server\Controller\Content-&gt;updateContentMetadata('2102', Object(Symfony\Component\HttpFoundation\Request))
      #3 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/HttpKernel.php(68): Symfony\Component\HttpKernel\HttpKernel-&gt;handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
      #4 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Component/HttpKernel/Kernel.php(200): Symfony\Component\HttpKernel\HttpKernel-&gt;handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
      #5 /home/gl/git/ezplatform/web/app.php(72): Symfony\Component\HttpKernel\Kernel-&gt;handle(Object(Symfony\Component\HttpFoundation\Request))
      #6 /home/gl/git/ezplatform/web/app_dev.php(22): require('/home/gl/git/ez...')
      #7 /home/gl/git/ezplatform/vendor/symfony/symfony/src/Symfony/Bundle/WebServerBundle/Resources/router.php(42): require('/home/gl/git/ez...')
      #8 {main}</trace>
       <file>/home/gl/git/ezplatform/vendor/ezsystems/ezpublish-kernel/eZ/Publish/Core/REST/Common/Input/Handler/Xml.php</file>
       <line>95</line>
      </ErrorMessage>
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            gunnstein.lye@ez.no Gunnstein Lye
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: