From 8662b52a0a73a25c40377334cd7baada49322a11 Mon Sep 17 00:00:00 2001
From: Ben Martin <monkeyiq@users.sourceforge.net>
Date: Tue, 21 Oct 2025 09:42:35 +1000
Subject: [PATCH] Allow a whitelist of errors to be shown when showerrors is
 true

If this whitelist is not used then all errors are shown if showerrors
is true. You can use this new option to explicitly allow backtraces
and descriptions to be shown to the user for only select error events.

If you provide a list of errors to show then anything not on that list
will not be shown to the user. The error will be logged etc as normal.

This was raised in
https://github.com/simplesamlphp/simplesamlphp/pull/2513
---
 config/config.php.dist         | 60 ++++++++++++++++++++++++++++++++++
 src/SimpleSAML/Error/Error.php | 25 +++++++++++++-
 2 files changed, 84 insertions(+), 1 deletion(-)

diff --git a/config/config.php.dist b/config/config.php.dist
index 178b8d31fa..9100e9f4b6 100644
--- a/config/config.php.dist
+++ b/config/config.php.dist
@@ -347,6 +347,66 @@ $config = [
     'showerrors' => false,
     'errorreporting' => true,
 
+    /*
+     * When showerrors is true, this is an array of which errors
+     * should still be shown to the user. By default an error will
+     * always be shown if showerrors==true and this setting is at the default value to allow all.
+     *
+     * If you list anything in this option you have to explicitly list each error
+     * you would like to be shown to the user. You can also set the value to false
+     * to hide that error. If this setting is used with anything other than the default
+     * value and an error is not listed in the list then a backtrace for that error
+     * will not be shown.
+     *
+     * These can be any of the error codes in
+     * src/SimpleSAML/Error/ErrorCodes.php
+     *
+     */
+    'showerrors.whitelist' => [ '*' => true ],
+    /*
+       some of the many possibilities for this setting
+       
+    'showerrors.whitelist' => [
+       'ACSPARAMS' => true,
+       'ADMINNOTHASHED' => true,
+       'ARSPARAMS' => true,
+       'AUTHSOURCEERROR' => true,
+       'BADREQUEST' => true,
+       'CASERROR' => true,
+       'CONFIG' => true,
+       'CREATEREQUEST' => true,
+       'DISCOPARAMS' => true,
+       'GENERATEAUTHNRESPONSE' => true,
+       'INVALIDCERT' => true,
+       'LDAPERROR' => true,
+       'LOGOUTINFOLOST' => true,
+       'LOGOUTREQUEST' => true,
+       'MEMCACHEDOWN' => true,
+       'METADATA' => true,
+       'METADATANOTFOUND' => true,
+       'METHODNOTALLOWED' => true,
+       'NOACCESS' => true,
+       'NOCERT' => true,
+       'NORELAYSTATE' => true,
+       'NOSTATE' => true,
+       'NOTFOUND' => true,
+       'NOTFOUNDREASON' => true,
+       'NOTSET' => true,
+       'NOTVALIDCERT' => true,
+       'NOTVALIDCERTSIGNATURE' => true,
+       'PROCESSASSERTION' => true,
+       'PROCESSAUTHNREQUEST' => true,
+       'RESPONSESTATUSNOSUCCESS' => true,
+       'SLOSERVICEPARAMS' => true,
+       'SSOPARAMS' => true,
+       'UNHANDLEDEXCEPTION' => true,
+       'UNKNOWNCERT' => true,
+       'USERABORTED' => true,
+       'WRONGUSERPASS' => true,
+       ],
+     */
+
+    
     /*
      * Custom error show function called from SimpleSAML\Error\Error::show.
      * See docs/simplesamlphp-errorhandling.md for function code example.
diff --git a/src/SimpleSAML/Error/Error.php b/src/SimpleSAML/Error/Error.php
index 3bf95b8373..2251bf9ed3 100644
--- a/src/SimpleSAML/Error/Error.php
+++ b/src/SimpleSAML/Error/Error.php
@@ -225,6 +225,28 @@ protected function saveError(): array
         } else {
             $referer = 'unknown';
         }
+
+        $showerrors = $config->getOptionalBoolean('showerrors', false);
+
+        $whitelist = Configuration::getInstance()->getOptionalArray('showerrors.whitelist', ['*' => true]);
+        if (count($whitelist) == 1 && array_key_exists('*', $whitelist)) {
+            // no change to filtering
+            // everything is shown by default.
+        } else {
+            // explicitly handle showing erorrs
+            // if not listed, do not show backtrace.
+            $showRealError = false;
+            if (array_key_exists($this->errorCode, $whitelist)) {
+                $showRealError = ($whitelist[$this->errorCode] == true);
+            }
+            if (!$showRealError) {
+                // they didn't select to show this message
+                $emsg = "secret";
+                $etrace = "trace";
+                $showerrors = false;
+            }
+        }
+
         $httpUtils = new Utils\HTTP();
         $errorData = [
             'exceptionMsg'   => $emsg,
@@ -234,6 +256,7 @@ protected function saveError(): array
             'url'            => $httpUtils->getSelfURLNoQuery(),
             'version'        => $config->getVersion(),
             'referer'        => $referer,
+            'showerrors'     => $showerrors,
         ];
         $session->setData('core:errorreport', $reportId, $errorData);
 
@@ -261,7 +284,7 @@ public function show(int $logLevel = Logger::ERR, bool $suppressReport = false):
         $config = Configuration::getInstance();
 
         $data = [];
-        $data['showerrors'] = $config->getOptionalBoolean('showerrors', false);
+        $data['showerrors'] = $errorData['showerrors'];
         $data['error'] = $errorData;
         $data['errorCode'] = $this->errorCode;
         $data['parameters'] = $this->parameters;