Access to /Default return 500 instead of 404

[eclipxe13]

Describe the bug

Accessing route https://my-server/icingaweb2/Default produces an HTTP Status 500 Internal Server Error instead of 404 Not Found as in https://my-server/icingaweb2/NonExistentRoute.

The error message contains: Undefined array key "Default" and also contains the following trace that shows information about local set up (considered a security risk):

#0 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(397): Icinga\Application\ApplicationBootstrap->Icinga\Application\{closure}()
#1 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(204): Zend_Controller_Dispatcher_Standard->getControllerClass()
#2 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Dispatcher/Standard.php(244): Zend_Controller_Dispatcher_Standard->isDispatchable()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(56): Zend_Controller_Dispatcher_Standard->dispatch()
#4 /usr/share/icinga-php/vendor/vendor/shardj/zf1-future/library/Zend/Controller/Front.php(954): Icinga\Web\Controller\Dispatcher->dispatch()
#5 /usr/share/php/Icinga/Application/Web.php(294): Zend_Controller_Front->dispatch()
#6 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

To Reproduce

1. On a clean installation access to the location of IcingaWeb2 followed by /Default, if the url is https://my-server/icingaweb2/ then access https://my-server/icingaweb2/Default. No need to login.

Expected behavior

• Return a 404 Not Found message.
• Don't display information about local paths.

Your Environment

• Icinga Web 2 version and modules (System - About): 2.12.1
• Web browser used: curl (no need for web browser)
• Icinga 2 version used (icinga2 --version): r2.14.2-1
• PHP version used (php --version): 8.3.10 (FPM)
• Server operating system and version: Debian bookworm (12.6)
• Git commit date: 2023-11-15
• Loaded Libraries:
  • icinga/icinga-php-library: 0.14.1
  • icinga/icinga-php-thirdparty: 0.12.1
• Loaded modules:
  • monitoring: 2.12.1

Additional context

Icinga2 and IcingaWeb2 are installed using Icinga packages. These is also present using Debian (outdated) packages.

[nilmerg]

Hi,

I presume default is special, because that's the name of the default module in Zend. The error you get only occurs if this name is not all lowercase.

If you don't want stacktraces be visible for anyone, disable this in the configuration.

[eclipxe13]

Wouldn't be appropriate to add a rewrite rule for this to avoid this exception?

If you don't want stacktraces be visible for anyone, disable this in the configuration.

Thanks, this reduce the security risk.