Icinga / icingaweb2

A lightweight and extensible web interface to keep an eye on your environment. Analyse problems and act on them.
https://icinga.com/get-started/
GNU General Public License v2.0
809 stars 282 forks source link

Access to /Default return 500 instead of 404 #5248

Open eclipxe13 opened 3 months ago

eclipxe13 commented 3 months ago

Describe the bug

Accessing route https://my-server/icingaweb2/Default produces an HTTP Status 500 Internal Server Error instead of 404 Not Found as in https://my-server/icingaweb2/NonExistentRoute.

The error message contains: Undefined array key "Default" and also contains the following trace that shows information about local set up (considered a security risk):

#0 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(397): Icinga\Application\ApplicationBootstrap->Icinga\Application\{closure}()
#1 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(204): Zend_Controller_Dispatcher_Standard->getControllerClass()
#2 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(244): Zend_Controller_Dispatcher_Standard->isDispatchable()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(56): Zend_Controller_Dispatcher_Standard->dispatch()
#4 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch()
#5 /usr/share/php/Icinga/Application/Web.php(294): Zend_Controller_Front->dispatch()
#6 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

To Reproduce

  1. On a clean installation access to the location of IcingaWeb2 followed by /Default, if the url is https://my-server/icingaweb2/ then access https://my-server/icingaweb2/Default. No need to login.

Expected behavior

Your Environment

Additional context

Icinga2 and IcingaWeb2 are installed using Icinga packages. These is also present using Debian (outdated) packages.

nilmerg commented 3 months ago

Hi,

I presume default is special, because that's the name of the default module in Zend. The error you get only occurs if this name is not all lowercase.

If you don't want stacktraces be visible for anyone, disable this in the configuration.

eclipxe13 commented 3 months ago

Wouldn't be appropriate to add a rewrite rule for this to avoid this exception?

If you don't want stacktraces be visible for anyone, disable this in the configuration.

Thanks, this reduce the security risk.