From f3473744ae1ab44cae452186a5195d1329bdb862 Mon Sep 17 00:00:00 2001 From: Ben Martin Date: Mon, 6 Oct 2025 13:35:11 +1000 Subject: [PATCH 1/4] Allow a whitelist of errors to be shown when showerrors is true If this whitelist is not used then all errors are shown if showerrors is true. If you use this new option then you have to list every error you would like to be shown to the user with a description and backtrace. This was raised in https://github.com/simplesamlphp/simplesamlphp/pull/2513 --- config/config.php.dist | 51 ++++++++++++++++++++++++++++++++++ src/SimpleSAML/Error/Error.php | 22 ++++++++++++++- 2 files changed, 72 insertions(+), 1 deletion(-) diff --git a/config/config.php.dist b/config/config.php.dist index 1263367df2..1303c2ae9e 100644 --- a/config/config.php.dist +++ b/config/config.php.dist @@ -340,6 +340,57 @@ $config = [ 'showerrors' => true, 'errorreporting' => true, + /* + * When showerrors is true, this is an array of which errors + * should still be shown to the user. By default an error will + * always be shown if showerrors==true. If you list anything in + * this option you have to explicitly list each error you would + * like to be shown to the user. You can also set the value to false + * to hide that error. + * + * These can be any of the error codes in + * src/SimpleSAML/Error/ErrorCodes.php + * + */ + 'showerrors.whitelist' => [ + 'ACSPARAMS' => true, + 'ADMINNOTHASHED' => true, + 'ARSPARAMS' => true, + 'AUTHSOURCEERROR' => true, + 'BADREQUEST' => true, + 'CASERROR' => true, + 'CONFIG' => true, + 'CREATEREQUEST' => true, + 'DISCOPARAMS' => true, + 'GENERATEAUTHNRESPONSE' => true, + 'INVALIDCERT' => true, + 'LDAPERROR' => true, + 'LOGOUTINFOLOST' => true, + 'LOGOUTREQUEST' => true, + 'MEMCACHEDOWN' => true, + 'METADATA' => true, + 'METADATANOTFOUND' => true, + 'METHODNOTALLOWED' => true, + 'NOACCESS' => true, + 'NOCERT' => true, + 'NORELAYSTATE' => true, + 'NOSTATE' => true, + 'NOTFOUND' => true, + 'NOTFOUNDREASON' => true, + 'NOTSET' => true, + 'NOTVALIDCERT' => true, + 'NOTVALIDCERTSIGNATURE' => true, + 'PROCESSASSERTION' => true, + 'PROCESSAUTHNREQUEST' => true, + 'RESPONSESTATUSNOSUCCESS' => true, + 'SLOSERVICEPARAMS' => true, + 'SSOPARAMS' => true, + 'UNHANDLEDEXCEPTION' => true, + 'UNKNOWNCERT' => true, + 'USERABORTED' => true, + 'WRONGUSERPASS' => true, + ], + /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.md for function code example. diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index dfa7315754..113770e3e9 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -206,6 +206,25 @@ protected function saveError(): array } else { $referer = 'unknown'; } + + $showerrors = $config->getOptionalBoolean('showerrors', true); + + $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); + if( count($whitelist)==1 && array_key_exists('*', $whitelist)) { + // no filtering + } else { + $showRealError = false; + if( array_key_exists($this->errorCode, $whitelist)) { + $showRealError = ($whitelist[$this->errorCode] == true); + } + if(!$showRealError) { + // they didn't select to show this message + $emsg = "secret"; + $etrace = "trace"; + $showerrors = false; + } + } + $httpUtils = new Utils\HTTP(); $errorData = [ 'exceptionMsg' => $emsg, @@ -215,6 +234,7 @@ protected function saveError(): array 'url' => $httpUtils->getSelfURLNoQuery(), 'version' => $config->getVersion(), 'referer' => $referer, + 'showerrors' => $showerrors, ]; $session->setData('core:errorreport', $reportId, $errorData); @@ -239,7 +259,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false): $config = Configuration::getInstance(); $data = []; - $data['showerrors'] = $config->getOptionalBoolean('showerrors', true); + $data['showerrors'] = $errorData['showerrors']; $data['error'] = $errorData; $data['errorCode'] = $this->errorCode; $data['parameters'] = $this->parameters; From 7bc1adbdfdfbd6516d1c85a8aa1a70c6b4bd5bab Mon Sep 17 00:00:00 2001 From: Ben Martin Date: Mon, 6 Oct 2025 13:41:46 +1000 Subject: [PATCH 2/4] lint --- src/SimpleSAML/Error/Error.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index 113770e3e9..bc148f2902 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -210,14 +210,14 @@ protected function saveError(): array $showerrors = $config->getOptionalBoolean('showerrors', true); $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); - if( count($whitelist)==1 && array_key_exists('*', $whitelist)) { + if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) { // no filtering } else { $showRealError = false; - if( array_key_exists($this->errorCode, $whitelist)) { + if (array_key_exists($this->errorCode, $whitelist)) { $showRealError = ($whitelist[$this->errorCode] == true); } - if(!$showRealError) { + if (!$showRealError) { // they didn't select to show this message $emsg = "secret"; $etrace = "trace"; From 944268718564398f3068264f99d6d3a17cf2d278 Mon Sep 17 00:00:00 2001 From: Ben Martin Date: Mon, 20 Oct 2025 11:42:33 +1000 Subject: [PATCH 3/4] include default as default config.php.dist setting explain that if an error is missing in the list then it will not have a backtrace by default --- config/config.php.dist | 93 +++++++++++++++++++--------------- src/SimpleSAML/Error/Error.php | 7 ++- 2 files changed, 56 insertions(+), 44 deletions(-) diff --git a/config/config.php.dist b/config/config.php.dist index 1303c2ae9e..312a74ef23 100644 --- a/config/config.php.dist +++ b/config/config.php.dist @@ -343,54 +343,63 @@ $config = [ /* * When showerrors is true, this is an array of which errors * should still be shown to the user. By default an error will - * always be shown if showerrors==true. If you list anything in - * this option you have to explicitly list each error you would - * like to be shown to the user. You can also set the value to false - * to hide that error. + * always be shown if showerrors==true and this setting is at the default value to allow all. + * + * If you list anything in this option you have to explicitly list each error + * you would like to be shown to the user. You can also set the value to false + * to hide that error. If this setting is used with anything other than the default + * value and an error is not listed in the list then a backtrace for that error + * will not be shown. * * These can be any of the error codes in * src/SimpleSAML/Error/ErrorCodes.php * */ + 'showerrors.whitelist' => [ '*' => true ], + /* + some of the many possibilities for this setting + 'showerrors.whitelist' => [ - 'ACSPARAMS' => true, - 'ADMINNOTHASHED' => true, - 'ARSPARAMS' => true, - 'AUTHSOURCEERROR' => true, - 'BADREQUEST' => true, - 'CASERROR' => true, - 'CONFIG' => true, - 'CREATEREQUEST' => true, - 'DISCOPARAMS' => true, - 'GENERATEAUTHNRESPONSE' => true, - 'INVALIDCERT' => true, - 'LDAPERROR' => true, - 'LOGOUTINFOLOST' => true, - 'LOGOUTREQUEST' => true, - 'MEMCACHEDOWN' => true, - 'METADATA' => true, - 'METADATANOTFOUND' => true, - 'METHODNOTALLOWED' => true, - 'NOACCESS' => true, - 'NOCERT' => true, - 'NORELAYSTATE' => true, - 'NOSTATE' => true, - 'NOTFOUND' => true, - 'NOTFOUNDREASON' => true, - 'NOTSET' => true, - 'NOTVALIDCERT' => true, - 'NOTVALIDCERTSIGNATURE' => true, - 'PROCESSASSERTION' => true, - 'PROCESSAUTHNREQUEST' => true, - 'RESPONSESTATUSNOSUCCESS' => true, - 'SLOSERVICEPARAMS' => true, - 'SSOPARAMS' => true, - 'UNHANDLEDEXCEPTION' => true, - 'UNKNOWNCERT' => true, - 'USERABORTED' => true, - 'WRONGUSERPASS' => true, - ], - + 'ACSPARAMS' => true, + 'ADMINNOTHASHED' => true, + 'ARSPARAMS' => true, + 'AUTHSOURCEERROR' => true, + 'BADREQUEST' => true, + 'CASERROR' => true, + 'CONFIG' => true, + 'CREATEREQUEST' => true, + 'DISCOPARAMS' => true, + 'GENERATEAUTHNRESPONSE' => true, + 'INVALIDCERT' => true, + 'LDAPERROR' => true, + 'LOGOUTINFOLOST' => true, + 'LOGOUTREQUEST' => true, + 'MEMCACHEDOWN' => true, + 'METADATA' => true, + 'METADATANOTFOUND' => true, + 'METHODNOTALLOWED' => true, + 'NOACCESS' => true, + 'NOCERT' => true, + 'NORELAYSTATE' => true, + 'NOSTATE' => true, + 'NOTFOUND' => true, + 'NOTFOUNDREASON' => true, + 'NOTSET' => true, + 'NOTVALIDCERT' => true, + 'NOTVALIDCERTSIGNATURE' => true, + 'PROCESSASSERTION' => true, + 'PROCESSAUTHNREQUEST' => true, + 'RESPONSESTATUSNOSUCCESS' => true, + 'SLOSERVICEPARAMS' => true, + 'SSOPARAMS' => true, + 'UNHANDLEDEXCEPTION' => true, + 'UNKNOWNCERT' => true, + 'USERABORTED' => true, + 'WRONGUSERPASS' => true, + ], + */ + + /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.md for function code example. diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index bc148f2902..56a50b4cd6 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -209,10 +209,13 @@ protected function saveError(): array $showerrors = $config->getOptionalBoolean('showerrors', true); - $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); + $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) { - // no filtering + // no change to filtering + // everything is shown by default. } else { + // explicitly handle showing erorrs + // if not listed, do not show backtrace. $showRealError = false; if (array_key_exists($this->errorCode, $whitelist)) { $showRealError = ($whitelist[$this->errorCode] == true); From 717924c1c68b550f6137b7be37c497ac0bd62109 Mon Sep 17 00:00:00 2001 From: Ben Martin Date: Tue, 21 Oct 2025 09:29:56 +1000 Subject: [PATCH 4/4] lint --- src/SimpleSAML/Error/Error.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index 56a50b4cd6..718a2c66a7 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -209,7 +209,7 @@ protected function saveError(): array $showerrors = $config->getOptionalBoolean('showerrors', true); - $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); + $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) { // no change to filtering // everything is shown by default.