Information disclosure while accessing apis [#2927717]

While accessing apis with invalid url, extra information is thrown in the error message due to the $e->getMessage(). Can this be fixed to give a generic error message?

for eg:,
/api/private/v1/forums/taxonomy_term?parameters[vid]=1'1
/api/private/v1/forums/comment?parameters[nid]=1'1

The part of the code that causes this behavior is:

function services_resource_execute_index_query($query) {
  try {
    return $query->execute();
  }
  catch (PDOException $e) {
    return services_error(t('Invalid query provided, double check that the fields and parameters you defined are correct and exist. ' . $e->getMessage()), 406);
  }
}

Comment	File	Size	Author
#3	information_disclosure_while_accessing_apis-2927717-12366277.patch	579 bytes	rahul1705
#3

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

1 December 2017 at 06:57

nsshrinivasan created an issue. See original summary.

Comment #2

rahul1705 CreditAttribution: rahul1705 as a volunteer commented 1 December 2017 at 09:46

This is happening because the services method builds the query at run time from the parameters passed and doesn't do any validation on the parameters and doesn't throw exception if inappropriate parameter is passed.

As mentioned in the issue, it just puts the execution of query in try catch block. So, if the query fails, whatsoever may be the reason, whether its inappropriate parameter or some error at execution of query, it got caught in the catch block and displays the info which sometimes you can't display to end-user because of security issue.

You can apply the below patch which removes the $e->getMessage.