[ErrorRenderer] Show generic message in non-debug mode #34197
Conversation
|
(Travis dep=high failure is normal) |
|
I disagree here, exceptions messages are never meant for the end user, even for non-500. I have lots of code that throws NotFound/AccessDenied exceptions with messages that are meant for logs/debug and not for the end user. |
|
There is only one way here: in non-debug mode, do the same as 4.x did before the introduction of the new components. |
|
One example where it could leak sensitive data is when using the |
|
I think we should make this configurable. By default, the exception messages would not be shown. Let people configure which exception classes / status codes are allowed to show the message. This is one of the few really useful features of the fos rest bundle and it should be part of the core IMO, see |
a012a09 to
92585eb
Compare
|
PR Updated according to comments. I like the @Tobion's idea of somehow returning the real message for specific friendly exceptions, e.g. validation errors related to the request, etc. Let's create a dedicated issue to discuss it. Thanks! |
src/Symfony/Component/ErrorRenderer/ErrorRenderer/JsonErrorRenderer.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/ErrorRenderer/ErrorRenderer/JsonErrorRenderer.php
Outdated
Show resolved
Hide resolved
|
Thank you @yceruto. |
…yceruto) This PR was merged into the 4.4 branch. Discussion ---------- [ErrorRenderer] Show generic message in non-debug mode | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - I agree with @Tobion here #34158 (comment), so let's always show the detail message, but for 5xx errors we'll send a generic message instead. /cc @dunglas wdyt? Commits ------- 45f1a5e Show generic message in non-debug mode
| if ($debug) { | ||
| $message = $exception->getMessage(); | ||
| } else { | ||
| $message = 404 === $exception->getStatusCode() ? 'Sorry, the page you are looking for could not be found.' : 'Whoops, looks like something went wrong.'; |
There was a problem hiding this comment.
Sorry but I'm totally👎 on this. The message does not make any sense in an API context.
There was a problem hiding this comment.
Would you like a generic message like: Not Found (404 error) or do you have any other message in mind?
There was a problem hiding this comment.
I prefer no message at all. What we put here it's arbitrary.
There was a problem hiding this comment.
Other suggestion for this 404 message is this one:
The server has not found anything matching the Request-URI
Taken from https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
There was a problem hiding this comment.
This is how the message would look for JSON format (non-debug mode):
{
"title": "Not Found",
"status": 404,
"detail": "The server has not found anything matching the Request-URI"
}There was a problem hiding this comment.
Whoops, looks like something went wrong.
Why does it say "something" went wrong when it's clear what went "wrong" based on the status code?
Why does it say "wrong" when in theory I can return a successful error code from getStatusCode?
There was a problem hiding this comment.
Whoops, looks like something went wrong.
Why does it say "something" went wrong when it's clear what went "wrong" based on the status code?
Because I want to be more friendly with an explicit and verbose error message. It's not arbitrary, it was taken from here https://github.com/symfony/symfony/blob/2.0/src/Symfony/Component/HttpKernel/Debug/ExceptionHandler.php#L77-L83 (since Symfony 2.0)
Why does it say "wrong" when in theory I can return a successful error code from getStatusCode?
Which wouldn't make sense to me.
There was a problem hiding this comment.
The title already gives the text explanation of the status code. Anything else is just arbitrary and I don't see why you keep insisting on the detail property.
There was a problem hiding this comment.
Please, revert these changes if you still think it's useless and arbitrary, but then I'll be agaisnt to have "detail" property for debug mode only, because (1) it is not intended for debugging information according to rfc; (2) for the same request consistently we must return the same response, at least this would apply to the members defined in the rfc, "detail" is one of them.
Anything else is considered an "extensions". In this case "exception" property (rendered on debug mode only) is an extension property.
It's problable that we're using the wrong names here and we should have called them "message" & "trace" respectively as extensions of the problem detail for debug mode only, so we can get rid of them on non-debug mode.
I agree with @Tobion here #34158 (comment), so let's always show the detail message, but for 5xx errors we'll send a generic message instead.
/cc @dunglas wdyt?