Config to prevent reflection of user input when reporting errors #9811
Conversation
oracle-contributor-agreement
bot
added
the
OCA Verified
There was a problem hiding this comment.
We are reflecting back a cleaned user input (it should not contain the actual illegal character, unless it is an OK entity to return - i.e. if [ is forbidden, we can still return it, as it is not an HTML entity, so it does not matter
Even if we had a bug that returns illegal characters, the fix is to remove the illegal character from the returned string (it should be replaced with some other character, to keep the indexes - this should be already implemented).
Yes, that's the current behavior, but I still think it is unnecessary to return back all those characters as we are doing now. Pointing out the invalid char in the URI should be sufficient. |
…prevent any entity from being returned to avoid reflecting any data from a request. Default settings can be modified to return safe messages and to log all messages.
spericas
changed the title
spericas
force-pushed
the
issue-9698
branch
2 times, most recently
from
c3b1fda to
7f6fbc7
Compare
Signed-off-by: Santiago Pericas-Geertsen <santiago.pericasgeertsen@oracle.com>
| * @return optional error handling | ||
| */ | ||
| @Option.Configured | ||
| Optional<ErrorHandling> errorHandling(); |
There was a problem hiding this comment.
This could probably return ErrorHandling instead of Optional<ErrorHandling> using @io.helidon.builder.api.Option.DefaultMethod("create"), as both options have sensible defaults.
This would make usage a bit nicer.
Description
New config section in listeners for error handling. Default settings prevent any entity from being returned to avoid reflecting any data from a request. Default settings can be modified to return safe messages and to log all messages. Issue #9698.
Documentation
None