diff --git a/config/config.php.dist b/config/config.php.dist index 178b8d31fa..9100e9f4b6 100644 --- a/config/config.php.dist +++ b/config/config.php.dist @@ -347,6 +347,66 @@ $config = [ 'showerrors' => false, 'errorreporting' => true, + /* + * When showerrors is true, this is an array of which errors + * should still be shown to the user. By default an error will + * always be shown if showerrors==true and this setting is at the default value to allow all. + * + * If you list anything in this option you have to explicitly list each error + * you would like to be shown to the user. You can also set the value to false + * to hide that error. If this setting is used with anything other than the default + * value and an error is not listed in the list then a backtrace for that error + * will not be shown. + * + * These can be any of the error codes in + * src/SimpleSAML/Error/ErrorCodes.php + * + */ + 'showerrors.whitelist' => [ '*' => true ], + /* + some of the many possibilities for this setting + + 'showerrors.whitelist' => [ + 'ACSPARAMS' => true, + 'ADMINNOTHASHED' => true, + 'ARSPARAMS' => true, + 'AUTHSOURCEERROR' => true, + 'BADREQUEST' => true, + 'CASERROR' => true, + 'CONFIG' => true, + 'CREATEREQUEST' => true, + 'DISCOPARAMS' => true, + 'GENERATEAUTHNRESPONSE' => true, + 'INVALIDCERT' => true, + 'LDAPERROR' => true, + 'LOGOUTINFOLOST' => true, + 'LOGOUTREQUEST' => true, + 'MEMCACHEDOWN' => true, + 'METADATA' => true, + 'METADATANOTFOUND' => true, + 'METHODNOTALLOWED' => true, + 'NOACCESS' => true, + 'NOCERT' => true, + 'NORELAYSTATE' => true, + 'NOSTATE' => true, + 'NOTFOUND' => true, + 'NOTFOUNDREASON' => true, + 'NOTSET' => true, + 'NOTVALIDCERT' => true, + 'NOTVALIDCERTSIGNATURE' => true, + 'PROCESSASSERTION' => true, + 'PROCESSAUTHNREQUEST' => true, + 'RESPONSESTATUSNOSUCCESS' => true, + 'SLOSERVICEPARAMS' => true, + 'SSOPARAMS' => true, + 'UNHANDLEDEXCEPTION' => true, + 'UNKNOWNCERT' => true, + 'USERABORTED' => true, + 'WRONGUSERPASS' => true, + ], + */ + + /* * Custom error show function called from SimpleSAML\Error\Error::show. * See docs/simplesamlphp-errorhandling.md for function code example. diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php index 3bf95b8373..2251bf9ed3 100644 --- a/src/SimpleSAML/Error/Error.php +++ b/src/SimpleSAML/Error/Error.php @@ -225,6 +225,28 @@ protected function saveError(): array } else { $referer = 'unknown'; } + + $showerrors = $config->getOptionalBoolean('showerrors', false); + + $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]); + if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) { + // no change to filtering + // everything is shown by default. + } else { + // explicitly handle showing erorrs + // if not listed, do not show backtrace. + $showRealError = false; + if (array_key_exists($this->errorCode, $whitelist)) { + $showRealError = ($whitelist[$this->errorCode] == true); + } + if (!$showRealError) { + // they didn't select to show this message + $emsg = "secret"; + $etrace = "trace"; + $showerrors = false; + } + } + $httpUtils = new Utils\HTTP(); $errorData = [ 'exceptionMsg' => $emsg, @@ -234,6 +256,7 @@ protected function saveError(): array 'url' => $httpUtils->getSelfURLNoQuery(), 'version' => $config->getVersion(), 'referer' => $referer, + 'showerrors' => $showerrors, ]; $session->setData('core:errorreport', $reportId, $errorData); @@ -261,7 +284,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false): $config = Configuration::getInstance(); $data = []; - $data['showerrors'] = $config->getOptionalBoolean('showerrors', false); + $data['showerrors'] = $errorData['showerrors']; $data['error'] = $errorData; $data['errorCode'] = $this->errorCode; $data['parameters'] = $this->parameters;