Merge pull request #7528 from Icinga/bugfix/api-put-error-handling

API: Handle permission exceptions soon enough, returning 404
This commit is contained in:
Michael Friedrich 2019-11-15 11:53:59 +01:00 committed by GitHub
commit 38080405df
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 4 deletions

View File

@ -98,11 +98,22 @@ void HttpHandler::ProcessRequest(
}
bool processed = false;
for (const HttpHandler::Ptr& handler : handlers) {
if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
processed = true;
break;
/*
* HandleRequest may throw a permission exception.
* DO NOT return a specific permission error. This
* allows attackers to guess from words which objects
* do exist.
*/
try {
for (const HttpHandler::Ptr& handler : handlers) {
if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
processed = true;
break;
}
}
} catch (const std::exception&) {
processed = false;
}
if (!processed) {