Allow a whitelist of errors to be shown when showerrors is true (simplesamlphp#2546)

monkeyiq · web-flow · commit 71f4f315d8d4 · 2025-10-21T09:51:44.000+10:00
If this whitelist is not used then all errors are shown if showerrors is true. You can use this new option to explicitly allow backtraces and descriptions to be shown to the user for only select error events. If you provide a list of errors to show then anything not on that list will not be shown to the user. The error will be logged etc as normal. This was raised in simplesamlphp#2513
diff --git a/config/config.php.dist b/config/config.php.dist
@@ -347,6 +347,66 @@ $config = [
     'showerrors' => false,
     'errorreporting' => true,
 
+    /*
+     * When showerrors is true, this is an array of which errors
+     * should still be shown to the user. By default an error will
+     * always be shown if showerrors==true and this setting is at the default value to allow all.
+     *
+     * If you list anything in this option you have to explicitly list each error
+     * you would like to be shown to the user. You can also set the value to false
+     * to hide that error. If this setting is used with anything other than the default
+     * value and an error is not listed in the list then a backtrace for that error
+     * will not be shown.
+     *
+     * These can be any of the error codes in
+     * src/SimpleSAML/Error/ErrorCodes.php
+     *
+     */
+    'showerrors.whitelist' => [ '*' => true ],
+    /*
+       some of the many possibilities for this setting
+       
+    'showerrors.whitelist' => [
+       'ACSPARAMS' => true,
+       'ADMINNOTHASHED' => true,
+       'ARSPARAMS' => true,
+       'AUTHSOURCEERROR' => true,
+       'BADREQUEST' => true,
+       'CASERROR' => true,
+       'CONFIG' => true,
+       'CREATEREQUEST' => true,
+       'DISCOPARAMS' => true,
+       'GENERATEAUTHNRESPONSE' => true,
+       'INVALIDCERT' => true,
+       'LDAPERROR' => true,
+       'LOGOUTINFOLOST' => true,
+       'LOGOUTREQUEST' => true,
+       'MEMCACHEDOWN' => true,
+       'METADATA' => true,
+       'METADATANOTFOUND' => true,
+       'METHODNOTALLOWED' => true,
+       'NOACCESS' => true,
+       'NOCERT' => true,
+       'NORELAYSTATE' => true,
+       'NOSTATE' => true,
+       'NOTFOUND' => true,
+       'NOTFOUNDREASON' => true,
+       'NOTSET' => true,
+       'NOTVALIDCERT' => true,
+       'NOTVALIDCERTSIGNATURE' => true,
+       'PROCESSASSERTION' => true,
+       'PROCESSAUTHNREQUEST' => true,
+       'RESPONSESTATUSNOSUCCESS' => true,
+       'SLOSERVICEPARAMS' => true,
+       'SSOPARAMS' => true,
+       'UNHANDLEDEXCEPTION' => true,
+       'UNKNOWNCERT' => true,
+       'USERABORTED' => true,
+       'WRONGUSERPASS' => true,
+       ],
+     */
+
+    
     /*
      * Custom error show function called from SimpleSAML\Error\Error::show.
      * See docs/simplesamlphp-errorhandling.md for function code example.
diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php
@@ -225,6 +225,28 @@ protected function saveError(): array
         } else {
             $referer = 'unknown';
         }
+
+        $showerrors = $config->getOptionalBoolean('showerrors', false);
+
+        $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]);
+        if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) {
+            // no change to filtering
+            // everything is shown by default.
+        } else {
+            // explicitly handle showing erorrs
+            // if not listed, do not show backtrace.
+            $showRealError = false;
+            if (array_key_exists($this->errorCode, $whitelist)) {
+                $showRealError = ($whitelist[$this->errorCode] == true);
+            }
+            if (!$showRealError) {
+                // they didn't select to show this message
+                $emsg = "secret";
+                $etrace = "trace";
+                $showerrors = false;
+            }
+        }
+
         $httpUtils = new Utils\HTTP();
         $errorData = [
             'exceptionMsg'   => $emsg,
@@ -234,6 +256,7 @@ protected function saveError(): array
             'url'            => $httpUtils->getSelfURLNoQuery(),
             'version'        => $config->getVersion(),
             'referer'        => $referer,
+            'showerrors'     => $showerrors,
         ];
         $session->setData('core:errorreport', $reportId, $errorData);
 
@@ -261,7 +284,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false):
         $config = Configuration::getInstance();
 
         $data = [];
-        $data['showerrors'] = $config->getOptionalBoolean('showerrors', false);
+        $data['showerrors'] = $errorData['showerrors'];
         $data['error'] = $errorData;
         $data['errorCode'] = $this->errorCode;
         $data['parameters'] = $this->parameters;
