Closed
Description
By default, ErrorAttributes
will expose exception
attribute which can be considered information leakage similarly to #4730. IMO the exception
attribute shouldn't be included by default but rather only using a mechanism similar to one used to include trace
attribute.
To clarify using a sample:
@RestController
class AppController {
@GetMapping("/")
String home() {
throw new RuntimeException("Sample error message")
}
}
Running this with Spring Boot CLI and hitting the home
handler will yield:
HTTP/1.1 500
Connection: close
Content-Type: application/json;charset=UTF-8
Date: Wed, 04 Jan 2017 16:34:22 GMT
Transfer-Encoding: chunked
{
"error": "Internal Server Error",
"exception": "java.lang.RuntimeException",
"message": "Sample error message",
"path": "/",
"status": 500,
"timestamp": 1483547662254
}