Clean-up invalid path on error page

ikus060 · Sep 22, 2022 · 5ac38b2 · 5ac38b2
1 parent e974df7
commit 5ac38b2
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -107,6 +107,12 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## 2.4.8 (2022-09-23)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Clean-up invalid path on error page
+
 ## 2.4.7 (2002-09-21)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.

diff --git a/rdiffweb/controller/tests/test_page_error.py b/rdiffweb/controller/tests/test_page_error.py
@@ -49,3 +49,20 @@ def test_error_page(self):
             self.assertInBody('Traceback (most recent call last):')
         else:
             self.assertNotInBody('Traceback (most recent call last):')
+
+    def test_not_found(self):
+        # When user browser an invalid path.
+        self.getPage(
+            '/This%20website%20has%20been%20hacked%20and%20the%20confidential%20data%20of%20all%20users%20have%20been%20compromised%20and%20leaked%20to%20public'
+        )
+        # Then an error page is return
+        self.assertStatus("404 Not Found")
+        # Then page doesn't make reference to the path.
+        if self.expect_stacktrace:
+            self.assertInBody(
+                'This website has been hacked and the confidential data of all users have been compromised and leaked to public'
+            )
+        else:
+            self.assertNotInBody(
+                'This website has been hacked and the confidential data of all users have been compromised and leaked to public'
+            )
diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
@@ -245,6 +245,10 @@ def error_page(self, **kwargs):
             'error page: %s %s\n%s' % (kwargs.get('status', ''), kwargs.get('message', ''), kwargs.get('traceback', ''))
         )
 
+        # Replace message by generic one for 404. Default implementation leak path info.
+        if kwargs.get('status', '') == '404 Not Found':
+            kwargs['message'] = 'Nothing matches the given URI'
+
         # Check expected response type.
         mtype = cherrypy.tools.accept.callable(['text/html', 'text/plain'])  # @UndefinedVariable
         if mtype == 'text/plain':