Avoid leakage of the stack trace in the default error page #210

README.md

@@ -112,6 +112,7 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/
 This releases include a security fix. If you are using an earlier version, you should upgrade to this release immediately.
 
 * Use 'Secure' Attribute with Sensitive Cookie in HTTPS Session. [CVE-2022-3174](https://nvd.nist.gov/vuln/detail/CVE-2022-3174) #209
+* Avoid leakage of the stack trace in the default error page. [CVE-2022-3175](https://nvd.nist.gov/vuln/detail/CVE-2022-3175) #210
 
 ## 2.4.1 (2022-09-08)
 

doc/configuration.md

@@ -69,7 +69,7 @@ Rdiffweb can be configured to send logs to specific location. By default, logs a
 | log-file | Define the location of the log file. | /var/log/rdiffweb/server.log |
 | log-access-file | Define the location of the access log file. | /var/log/rdiffweb/access.log |
 
-**Enable Debugging log**
+### Enable Debugging
 
 A specific option is also available if you want to enable the debugging log. We do not recommend to enable this option in production as it may leak information to the user whenever an exception is raised.
 

rdiffweb/controller/tests/test_page_error.py

@@ -21,17 +21,31 @@
 """
 
 
+from parameterized import parameterized_class
+
 import rdiffweb.test
 
 
+@parameterized_class(
+    [
+        {"default_config": {'environment': 'production'}, "expect_stacktrace": False},
+        {"default_config": {'environment': 'development'}, "expect_stacktrace": True},
+        {"default_config": {'debug': False}, "expect_stacktrace": False},
+        {"default_config": {'debug': True}, "expect_stacktrace": True},
+    ]
+)
 class ErrorPageTest(rdiffweb.test.WebCase):
-    """
-    Check how the error page behave.
-    """
 
     login = True
 
     def test_error_page(self):
+        # Given a webserver started with production environment
+        # When error page is return
         self.getPage('/invalid/')
+        # Then page doesn't contain a stack trace
         self.assertStatus("404 Not Found")
         self.assertInBody("Oops!")
+        if self.expect_stacktrace:
+            self.assertInBody('Traceback (most recent call last):')
+        else:
+            self.assertNotInBody('Traceback (most recent call last):')

rdiffweb/main.py

@@ -94,7 +94,6 @@ def main(args=None, app_class=RdiffwebApp):
     cfg = app_class.parse_args(args)
 
     # Configure logging
-    environment = 'development' if cfg.debug else cfg.environment
     log_level = "DEBUG" if cfg.debug else cfg.log_level
     _setup_logging(log_file=cfg.log_file, log_access_file=cfg.log_access_file, level=log_level)
 
@@ -108,7 +107,6 @@ def main(args=None, app_class=RdiffwebApp):
                 'server.ssl_private_key': cfg.ssl_private_key,
                 # Set maximum POST size to 2MiB, for security.
                 'server.max_request_body_size': 2097152,
-                'server.environment': environment,
             }
         )
         # Start web server

rdiffweb/rdw_app.py

@@ -61,6 +61,16 @@
 # Define the logger
 logger = logging.getLogger(__name__)
 
+# Define cherrypy development environment
+cherrypy.config.environments['development'] = {
+    'engine.autoreload.on': True,
+    'checker.on': False,
+    'tools.log_headers.on': True,
+    'request.show_tracebacks': True,
+    'request.show_mismatched_params': True,
+    'log.screen': False,
+}
+
 
 @cherrypy.tools.proxy()
 @cherrypy.tools.secure_headers()
@@ -108,10 +118,10 @@ def parse_args(cls, args=None, config_file_contents=None):
         return parse_args(args, config_file_contents)
 
     def __init__(self, cfg):
-
         self.cfg = cfg
         cherrypy.config.update(
             {
+                'environment': 'development' if cfg.debug else cfg.environment,
                 # Configure LDAP plugin
                 'ldap.uri': cfg.ldap_uri,
                 'ldap.base_dn': cfg.ldap_base_dn,