tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-07-26 23:24:09 +02:00
Code Issues Packages Projects Releases Wiki Activity

API: Handle permission exceptions soon enough, returning 404

Browse Source 
fixes #7513
This commit is contained in:
Michael Friedrich 2019-09-23 09:48:50 +02:00
parent f6205c9d4b
commit f419efd778
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lib/remote/httphandler.cpp
View File

@ -98,12 +98,23 @@ void HttpHandler::ProcessRequest(
} }
bool processed = false; bool processed = false;
/*
* HandleRequest may throw a permission exception.
* DO NOT return a specific permission error. This
* allows attackers to guess from words which objects
* do exist.
*/
try {
for (const HttpHandler::Ptr& handler : handlers) { for (const HttpHandler::Ptr& handler : handlers) {
if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) { if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
processed = true; processed = true;
break; break;
} }
} }
} catch (const std::exception&) {
processed = false;
}
if (!processed) { if (!processed) {
HttpUtility::SendJsonError(response, params, 404, "The requested path '" + boost::algorithm::join(path, "/") + HttpUtility::SendJsonError(response, params, 404, "The requested path '" + boost::algorithm::join(path, "/") +