diff --git a/config/config.php.dist b/config/config.php.dist index 1263367df2..312a74ef23 100644 --- a/config/config.php.dist +++ b/config/config.php.dist @@ -340,6 +340,66 @@ $config = [ 'showerrors' => true, 'errorreporting' => true, + /* + * When showerrors is true, this is an array of which errors + * should still be shown to the user. By default an error will + * always be shown if showerrors==true and this setting is at the default value to allow all. + * + * If you list anything in this option you have to explicitly list each error + * you would like to be shown to the user. You can also set the value to false + * to hide that error. If this setting is used with anything other than the default + * value and an error is not listed in the list then a backtrace for that error + * will not be shown. + * + * These can be any of the error codes in + * src/SimpleSAML/Error/ErrorCodes.php + * + */ + 'showerrors.whitelist' => [ '*' => true ], + /* + some of the many possibilities for this setting + + 'showerrors.whitelist' => [ + 'ACSPARAMS' => true, + 'ADMINNOTHASHED' => true, + 'ARSPARAMS' => true, + 'AUTHSOURCEERROR' => true, + 'BADREQUEST' => true, + 'CASERROR' => true, + 'CONFIG' => true, + 'CREATEREQUEST' => true, + 'DISCOPARAMS' => true, + 'GENERATEAUTHNRESPONSE' => true, + 'INVALIDCERT' => true, + 'LDAPERROR' => true, + 'LOGOUTINFOLOST' => true, + 'LOGOUTREQUEST' => true, + 'MEMCACHEDOWN' => true, + 'METADATA' => true, + 'METADATANOTFOUND' => true, + 'METHODNOTALLOWED' => true, + 'NOACCESS' => true, + 'NOCERT' => true, + 'NORELAYSTATE' => true, + 'NOSTATE' => true, + 'NOTFOUND' => true, + 'NOTFOUNDREASON' => true, + 'NOTSET' => true, + 'NOTVALIDCERT' => true, + 'NOTVALIDCERTSIGNATURE' => true, + 'PROCESSASSERTION' => true, + 'PROCESSAUTHNREQUEST' => true, + 'RESPONSESTATUSNOSUCCESS' => true, + 'SLOSERVICEPARAMS' => true, + 'SSOPARAMS' => true, + 'UNHANDLEDEXCEPTION' => true, + 'UNKNOWNCERT' => true, + 'USERABORTED' => true, + 'WRONGUSERPASS' => true, + ], + */ + + /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.md for function code example. diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index dfa7315754..718a2c66a7 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -206,6 +206,28 @@ protected function saveError(): array } else { $referer = 'unknown'; } + + $showerrors = $config->getOptionalBoolean('showerrors', true); + + $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); + if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) { + // no change to filtering + // everything is shown by default. + } else { + // explicitly handle showing erorrs + // if not listed, do not show backtrace. + $showRealError = false; + if (array_key_exists($this->errorCode, $whitelist)) { + $showRealError = ($whitelist[$this->errorCode] == true); + } + if (!$showRealError) { + // they didn't select to show this message + $emsg = "secret"; + $etrace = "trace"; + $showerrors = false; + } + } + $httpUtils = new Utils\HTTP(); $errorData = [ 'exceptionMsg' => $emsg, @@ -215,6 +237,7 @@ protected function saveError(): array 'url' => $httpUtils->getSelfURLNoQuery(), 'version' => $config->getVersion(), 'referer' => $referer, + 'showerrors' => $showerrors, ]; $session->setData('core:errorreport', $reportId, $errorData); @@ -239,7 +262,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false): $config = Configuration::getInstance(); $data = []; - $data['showerrors'] = $config->getOptionalBoolean('showerrors', true); + $data['showerrors'] = $errorData['showerrors']; $data['error'] = $errorData; $data['errorCode'] = $this->errorCode; $data['parameters'] = $this->parameters;