Closed drifteaur closed 3 years ago
The only header that Element API is setting is the Content-Type
header, via the JsonResponseHeader here:
And I just tested locally and couldn’t reproduce. Exception messages are not leaking into the response headers for me. Not sure how that would be happening.
@brandonkelly I was just able to replicate this by adding an invalid 'orderBy' to the getElementQuery() in a custom ElementResource class e.g:
protected function getElementQuery(): ElementQueryInterface
{
$query = parent::getElementQuery();
$query->orderBy('boo');
return $query;
}
What version of PHP are you running? In the case of #138, this ended up being an issue with PHP 7.3.
@brandonkelly OK let me clarify, it's not a header like Content-Type
, it's the status text sent along with the status code (500 etc).
The caught exception pushes the exception message into the status text; in DefaultController::actionIndex
:
} catch (\Throwable $e) {
$data = [
'error' => [
'code' => $e instanceof HttpException ? $e->statusCode : $e->getCode(),
'message' => $e->getMessage(),
]
];
$statusCode = $e instanceof HttpException ? $e->statusCode : 500;
$statusText = $e->getMessage();
}
Later, the response is set:
$response->setStatusCode($statusCode, $statusText);
The Yii Response
will set the status code text. If it contains newlines, it will trigger an error.
Proposed resolution: don't include the message in the statusText, it's there in the response body anyway. Or, sanitize it to remove newlines/limit length.
@brandonkelly using php7.4 can be replicated using the instructions i provided.
@drifteaur @jlawrence-yellostudio Thanks for the clarification! Just released v2.8.1 with a fix for this.
If Element API catches an exception, it will output the exception's message as a HTTP header. The exception message can contain newlines, in which case Yii will print an unhelpful message instead of the exception's message:
Proposed resolution: don't include the error message in the header text (it's already included in the content of the returned data). Or, remove the newlines.
It's in DefaultController.php at around line 170.