You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Konrad Windszus (JIRA)" <ji...@apache.org> on 2017/03/23 14:33:41 UTC

[jira] [Comment Edited] (SLING-6703) Sling Post Processor: Do not create new exception in AbstractPostResponse.setError

    [ https://issues.apache.org/jira/browse/SLING-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15938445#comment-15938445 ] 

Konrad Windszus edited comment on SLING-6703 at 3/23/17 2:33 PM:
-----------------------------------------------------------------

[~asanso] The fix from you in SLING-4415 prevents the original exception from being exposed, but only for the HTML response (not for the JSON response). Since the response format is influenced by the client, this does not give any additional security (because internal paths would still be exposed in the JSON response). Also this prevents useful exceptions (e.g. thrown from POST processors) not exposing any internal paths from appearing in the HTML response at all. Would it be an option to just filter out {{org.apache.sling.api.resource.PersistenceException}} s which potentially leak some information about the underlying repo structure but pass all other exceptions unmodified?


was (Author: kwin):
[~asanso] The fix from you in SLING-4415 prevents the original exception from being exposed, but only for the HTML response (not for the JSON response). Since the response format is influenced by the client, this does not give any additional security (because internal paths would still be exposed in the JSON response). Also this prevents useful exception (not exposing any internal paths) from appearing in the HTML response at all. Would it be an option to just filter out {{org.apache.sling.api.resource.PersistenceException}} s which potentially leak some information about the underlying repo structure but pass all other exceptions unmodified?

> Sling Post Processor: Do not create new exception in AbstractPostResponse.setError
> ----------------------------------------------------------------------------------
>
>                 Key: SLING-6703
>                 URL: https://issues.apache.org/jira/browse/SLING-6703
>             Project: Sling
>          Issue Type: Improvement
>          Components: Servlets
>    Affects Versions: Servlets Post 2.3.14
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>
> Currently {{AbstractPostResponse.setError}} (https://github.com/apache/sling/blob/4df9ab2d6592422889c71fa13afd453a10a5a626/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/AbstractPostResponse.java#L221) always ignores the given {{Throwable}} and just creates a new generic {{SlingException}}.
> To e.g. allow {{SlingPostProcessor}} to throw meaningful exceptions which occur in the response body, the given exception should not be wrapped but just the given throwable's message text should be given out in the document.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)