Skip to content

Commit 71f4f31

Browse files
authored
Allow a whitelist of errors to be shown when showerrors is true (simplesamlphp#2546)
If this whitelist is not used then all errors are shown if showerrors is true. You can use this new option to explicitly allow backtraces and descriptions to be shown to the user for only select error events. If you provide a list of errors to show then anything not on that list will not be shown to the user. The error will be logged etc as normal. This was raised in simplesamlphp#2513
1 parent 42b8a27 commit 71f4f31

2 files changed

Lines changed: 84 additions & 1 deletion

File tree

config/config.php.dist

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -347,6 +347,66 @@ $config = [
347347
'showerrors' => false,
348348
'errorreporting' => true,
349349

350+
/*
351+
* When showerrors is true, this is an array of which errors
352+
* should still be shown to the user. By default an error will
353+
* always be shown if showerrors==true and this setting is at the default value to allow all.
354+
*
355+
* If you list anything in this option you have to explicitly list each error
356+
* you would like to be shown to the user. You can also set the value to false
357+
* to hide that error. If this setting is used with anything other than the default
358+
* value and an error is not listed in the list then a backtrace for that error
359+
* will not be shown.
360+
*
361+
* These can be any of the error codes in
362+
* src/SimpleSAML/Error/ErrorCodes.php
363+
*
364+
*/
365+
'showerrors.whitelist' => [ '*' => true ],
366+
/*
367+
some of the many possibilities for this setting
368+
369+
'showerrors.whitelist' => [
370+
'ACSPARAMS' => true,
371+
'ADMINNOTHASHED' => true,
372+
'ARSPARAMS' => true,
373+
'AUTHSOURCEERROR' => true,
374+
'BADREQUEST' => true,
375+
'CASERROR' => true,
376+
'CONFIG' => true,
377+
'CREATEREQUEST' => true,
378+
'DISCOPARAMS' => true,
379+
'GENERATEAUTHNRESPONSE' => true,
380+
'INVALIDCERT' => true,
381+
'LDAPERROR' => true,
382+
'LOGOUTINFOLOST' => true,
383+
'LOGOUTREQUEST' => true,
384+
'MEMCACHEDOWN' => true,
385+
'METADATA' => true,
386+
'METADATANOTFOUND' => true,
387+
'METHODNOTALLOWED' => true,
388+
'NOACCESS' => true,
389+
'NOCERT' => true,
390+
'NORELAYSTATE' => true,
391+
'NOSTATE' => true,
392+
'NOTFOUND' => true,
393+
'NOTFOUNDREASON' => true,
394+
'NOTSET' => true,
395+
'NOTVALIDCERT' => true,
396+
'NOTVALIDCERTSIGNATURE' => true,
397+
'PROCESSASSERTION' => true,
398+
'PROCESSAUTHNREQUEST' => true,
399+
'RESPONSESTATUSNOSUCCESS' => true,
400+
'SLOSERVICEPARAMS' => true,
401+
'SSOPARAMS' => true,
402+
'UNHANDLEDEXCEPTION' => true,
403+
'UNKNOWNCERT' => true,
404+
'USERABORTED' => true,
405+
'WRONGUSERPASS' => true,
406+
],
407+
*/
408+
409+
350410
/*
351411
* Custom error show function called from SimpleSAML\Error\Error::show.
352412
* See docs/simplesamlphp-errorhandling.md for function code example.

src/SimpleSAML/Error/Error.php

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,28 @@ protected function saveError(): array
225225
} else {
226226
$referer = 'unknown';
227227
}
228+
229+
$showerrors = $config->getOptionalBoolean('showerrors', false);
230+
231+
$whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]);
232+
if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) {
233+
// no change to filtering
234+
// everything is shown by default.
235+
} else {
236+
// explicitly handle showing erorrs
237+
// if not listed, do not show backtrace.
238+
$showRealError = false;
239+
if (array_key_exists($this->errorCode, $whitelist)) {
240+
$showRealError = ($whitelist[$this->errorCode] == true);
241+
}
242+
if (!$showRealError) {
243+
// they didn't select to show this message
244+
$emsg = "secret";
245+
$etrace = "trace";
246+
$showerrors = false;
247+
}
248+
}
249+
228250
$httpUtils = new Utils\HTTP();
229251
$errorData = [
230252
'exceptionMsg' => $emsg,
@@ -234,6 +256,7 @@ protected function saveError(): array
234256
'url' => $httpUtils->getSelfURLNoQuery(),
235257
'version' => $config->getVersion(),
236258
'referer' => $referer,
259+
'showerrors' => $showerrors,
237260
];
238261
$session->setData('core:errorreport', $reportId, $errorData);
239262

@@ -261,7 +284,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false):
261284
$config = Configuration::getInstance();
262285

263286
$data = [];
264-
$data['showerrors'] = $config->getOptionalBoolean('showerrors', false);
287+
$data['showerrors'] = $errorData['showerrors'];
265288
$data['error'] = $errorData;
266289
$data['errorCode'] = $this->errorCode;
267290
$data['parameters'] = $this->parameters;

0 commit comments

Comments
 (0)