From 7dbf25b049f9547427714d2d6a04b618559825bd Mon Sep 17 00:00:00 2001 From: Vicente Escaname Date: Wed, 20 Mar 2024 00:19:30 +0000 Subject: [PATCH] [IMP] http_routing: Avoid returning verbose errors Returning verbose errors presents a vulnerability to subsequent attacks by sharing information that could be used to find and exploit vulnerabilites. To fix this, the traceback sent to the template for the error page now displays a hash instead. This hash will match a hash that will accompany the error within the log, so that errors raised can still be debugged --- addons/http_routing/models/ir_http.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/addons/http_routing/models/ir_http.py b/addons/http_routing/models/ir_http.py index e1ee2e2891274..38324ddc34cb0 100644 --- a/addons/http_routing/models/ir_http.py +++ b/addons/http_routing/models/ir_http.py @@ -654,12 +654,15 @@ def _handle_exception(cls, exception): with registry(request.env.cr.dbname).cursor() as cr: env = api.Environment(cr, request.uid, request.env.context) if code == 500: - _logger.error("500 Internal Server Error:\n\n%s", values['traceback']) + _logger.error( + "500 Internal Server Error:\n\n%s", + "%s\n%s" % (values['traceback'],hash(values['traceback']))) values = cls._get_values_500_error(env, values, exception) elif code == 403: _logger.warning("403 Forbidden:\n\n%s", values['traceback']) elif code == 400: _logger.warning("400 Bad Request:\n\n%s", values['traceback']) + values['traceback'] = hash(values['traceback']) try: code, html = cls._get_error_html(env, code, values) except Exception: