VEscaname
commented
6 months ago @hugho-ad @moylop260 @xmglord Could you please take a look?
Open VEscaname opened 6 months ago
VEscaname
commented
6 months ago @hugho-ad @moylop260 @xmglord Could you please take a look?
moylop260
commented
6 months ago could you share a video/screenshots about the output to the user and output in the logger, please?
VEscaname
commented
6 months ago could you share a video/screenshots about the output to the user and output in the logger, please?
Sure thing. Here is the link to the video. I also added the requested screenshots to the PR description
moylop260
commented
6 months ago @mart-e
I'm curious what Odoo thinks about
mart-e
commented
6 months ago @moylop260 as explained by my collegue by email, we don’t really consider this as an issue as the code is open source anyway. At least in term of security, might be different for a UX point of view but it’s hidden for visitors anyway.
Also, it’s easy to hide it by customizing http_routing.http_error if needed.
Description of the issue/feature this PR addresses: Returning verbose errors presents a vulnerability to subsequent attacks by sharing information that could be used to find and exploit vulnerabilites.
Current behavior before PR: Errors can be displayed in an error page with a full traceback for debugging
Desired behavior after PR is merged: The traceback sent to the template for the error page now displays a hash instead. This hash will match a hash that will accompany the error within the log, so that errors raised can still be debugged
Related Task T#77665