Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
While accessing apis with invalid url, extra information is thrown in the error message due to the $e->getMessage(). Can this be fixed to give a generic error message?
for eg:,
/api/private/v1/forums/taxonomy_term?parameters[vid]=1'1
/api/private/v1/forums/comment?parameters[nid]=1'1
The part of the code that causes this behavior is:
function services_resource_execute_index_query($query) {
try {
return $query->execute();
}
catch (PDOException $e) {
return services_error(t('Invalid query provided, double check that the fields and parameters you defined are correct and exist. ' . $e->getMessage()), 406);
}
}
Comment | File | Size | Author |
---|---|---|---|
#3 | information_disclosure_while_accessing_apis-2927717-12366277.patch | 579 bytes | rahul1705 |
Comments
Comment #2
rahul1705 CreditAttribution: rahul1705 as a volunteer commentedThis is happening because the services method builds the query at run time from the parameters passed and doesn't do any validation on the parameters and doesn't throw exception if inappropriate parameter is passed.
As mentioned in the issue, it just puts the execution of query in try catch block. So, if the query fails, whatsoever may be the reason, whether its inappropriate parameter or some error at execution of query, it got caught in the catch block and displays the info which sometimes you can't display to end-user because of security issue.
You can apply the below patch which removes the $e->getMessage.
Comment #3
rahul1705 CreditAttribution: rahul1705 as a volunteer commented