As a result of an exception the user was shown the exception page including call stack details. This while TIWServerController.SecurityOptions.ShowSecurityErrorDetails = False.
I would like to show the user the error message but without these details. On the server this error, including the details should stay.
A second issue with the attached testcase shows a small memory leak after the exception is generated.
The stack trace is not part of the details hidden when this option is False. Only sensitive information is hidden (the call stack doesn't expose things that can compromise your server)
True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.
Update on the first issue about showing app path etc. My mistake. This information is only visible when testing from localhost.
I see the check on Host = <localhost> in TIWExceptionLogWorker.GetExceptionDetail().
Be notified that this 'Host' header field can be changed by an attacker. This way the information can still be visible outside 'localhost'...
04-08-2022, 05:44 AM (This post was last modified: 04-08-2022, 05:45 AM by Alexandre Machado.)
(04-07-2022, 07:15 AM)jeroen.rottink Wrote: Hi Alexandre,
True but also application details like app path etc are shown.
I updated the example to also show the differences between how exceptions are handled in the application based on where the exception occurs.
Jeroen,
to have a proper idea of what really appears on that log you need to test from another machine in a network environment.
It will always show everything when running from localhost. That's by design.
If you are running from localhost, you have always access to everything. No need to hide anything in that case
to have a proper idea of what really appears on that log you need to test from another machine in a network environment.
It will always show everything when running from localhost. That's by design.
If you are running from localhost, you have always access to everything. No need to hide anything in that case
Hi Alexandre,
I did. See my third post yesterday. Also the remark about changing the host header field value.
My solution in those cases.
Code:
// RemoteAddr := WebApplication.Request.RemoteAddr;
// if not IsLocalHost(RemoteAddr) ...
function TIWServerController.IsLocalHost(const AIP: string): boolean;
begin
// https://serverfault.com/questions/411658/can-localhost-be-spoofed
// https://stackoverflow.com/questions/40189084/what-is-ipv6-for-localhost-and-0-0-0-0
Result := SameText(AIP, '127.0.0.1') or SameText(AIP, '0:0:0:0:0:0:0:1');
end;
(04-07-2022, 04:35 PM)joelcc Wrote: if you really want to hide everything from the user then change the following 2 templates.
Frankly, I do not remember. It may never be used. It may be just the other 2 that are used, but those are the 3 templates that we had our html guys update years ago.
I see what you mean. Hold on, I'll make some tests and probably some changes to allow more granularity when choosing what you want in the final HTML report.