From 5ac38b2a75becbab9f948bd5e37ecbcd9f0b362e Mon Sep 17 00:00:00 2001
From: Patrik Dufresne <info@patrikdufresne.com>
Date: Thu, 22 Sep 2022 13:23:09 -0400
Subject: [PATCH] Clean-up invalid path on error page

---
 README.md                                    |  6 ++++++
 rdiffweb/controller/tests/test_page_error.py | 17 +++++++++++++++++
 rdiffweb/rdw_app.py                          |  4 ++++
 3 files changed, 27 insertions(+)

diff --git a/README.md b/README.md
index e4eddf7d..18f11d88 100644
--- a/README.md
+++ b/README.md
@@ -107,6 +107,12 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 
 # Changelog
 
+## 2.4.8 (2022-09-23)
+
+This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
+
+* Clean-up invalid path on error page
+
 ## 2.4.7 (2002-09-21)
 
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
diff --git a/rdiffweb/controller/tests/test_page_error.py b/rdiffweb/controller/tests/test_page_error.py
index 1b40b265..de38b956 100644
--- a/rdiffweb/controller/tests/test_page_error.py
+++ b/rdiffweb/controller/tests/test_page_error.py
@@ -49,3 +49,20 @@ def test_error_page(self):
             self.assertInBody('Traceback (most recent call last):')
         else:
             self.assertNotInBody('Traceback (most recent call last):')
+
+    def test_not_found(self):
+        # When user browser an invalid path.
+        self.getPage(
+            '/This%20website%20has%20been%20hacked%20and%20the%20confidential%20data%20of%20all%20users%20have%20been%20compromised%20and%20leaked%20to%20public'
+        )
+        # Then an error page is return
+        self.assertStatus("404 Not Found")
+        # Then page doesn't make reference to the path.
+        if self.expect_stacktrace:
+            self.assertInBody(
+                'This website has been hacked and the confidential data of all users have been compromised and leaked to public'
+            )
+        else:
+            self.assertNotInBody(
+                'This website has been hacked and the confidential data of all users have been compromised and leaked to public'
+            )
diff --git a/rdiffweb/rdw_app.py b/rdiffweb/rdw_app.py
index 137e92e0..79b6c71b 100644
--- a/rdiffweb/rdw_app.py
+++ b/rdiffweb/rdw_app.py
@@ -245,6 +245,10 @@ def error_page(self, **kwargs):
             'error page: %s %s\n%s' % (kwargs.get('status', ''), kwargs.get('message', ''), kwargs.get('traceback', ''))
         )
 
+        # Replace message by generic one for 404. Default implementation leak path info.
+        if kwargs.get('status', '') == '404 Not Found':
+            kwargs['message'] = 'Nothing matches the given URI'
+
         # Check expected response type.
         mtype = cherrypy.tools.accept.callable(['text/html', 'text/plain'])  # @UndefinedVariable
         if mtype == 'text/plain':