sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konrad Windszus (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SLING-6703) Sling Post Processor: Do not create new exception in AbstractPostResponse.setError
Date Thu, 23 Mar 2017 14:32:41 GMT

    [ https://issues.apache.org/jira/browse/SLING-6703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15938445#comment-15938445
] 

Konrad Windszus commented on SLING-6703:
----------------------------------------

[~asanso] The fix from you in SLING-4415 prevents the original exception from being exposed,
but only for the HTML response (not for the JSON response). Since the response format is influenced
by the client, this does not give any additional security (because internal paths would still
be exposed in the JSON response). Also this prevents useful exception (not exposing any internal
paths) from appearing in the HTML response at all. Would it be an option to just filter out
{{org.apache.sling.api.resource.PersistenceException}} s which potentially leak some information
about the underlying repo structure but pass all other exceptions unmodified?

> Sling Post Processor: Do not create new exception in AbstractPostResponse.setError
> ----------------------------------------------------------------------------------
>
>                 Key: SLING-6703
>                 URL: https://issues.apache.org/jira/browse/SLING-6703
>             Project: Sling
>          Issue Type: Improvement
>          Components: Servlets
>    Affects Versions: Servlets Post 2.3.14
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>
> Currently {{AbstractPostResponse.setError}} (https://github.com/apache/sling/blob/4df9ab2d6592422889c71fa13afd453a10a5a626/bundles/servlets/post/src/main/java/org/apache/sling/servlets/post/AbstractPostResponse.java#L221)
always ignores the given {{Throwable}} and just creates a new generic {{SlingException}}.
> To e.g. allow {{SlingPostProcessor}} to throw meaningful exceptions which occur in the
response body, the given exception should not be wrapped but just the given throwable's message
text should be given out in the document.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message