[IMP] http_routing: Avoid returning verbose errors

Returning verbose errors presents a vulnerability to subsequent attacks by sharing information that could be used to find and exploit vulnerabilites. To fix this, the traceback sent to the template for the error page now displays a hash instead. This hash will match a hash that will accompany the error within the log, so that errors raised can still be debugged
Vauxoo · Mar 20, 2024 · 7dbf25b · 7dbf25b
1 parent b48e66e
commit 7dbf25b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/addons/http_routing/models/ir_http.py b/addons/http_routing/models/ir_http.py
@@ -654,12 +654,15 @@ def _handle_exception(cls, exception):
         with registry(request.env.cr.dbname).cursor() as cr:
             env = api.Environment(cr, request.uid, request.env.context)
             if code == 500:
-                _logger.error("500 Internal Server Error:\n\n%s", values['traceback'])
+                _logger.error(
+                    "500 Internal Server Error:\n\n%s",
+                    "%s\n%s" % (values['traceback'],hash(values['traceback'])))
                 values = cls._get_values_500_error(env, values, exception)
             elif code == 403:
                 _logger.warning("403 Forbidden:\n\n%s", values['traceback'])
             elif code == 400:
                 _logger.warning("400 Bad Request:\n\n%s", values['traceback'])
+            values['traceback'] = hash(values['traceback'])
             try:
                 code, html = cls._get_error_html(env, code, values)
             except Exception: