Skip to content

Consider not exposing exception error attribute by default #7872

Closed
@vpavic

Description

@vpavic

By default, ErrorAttributes will expose exception attribute which can be considered information leakage similarly to #4730. IMO the exception attribute shouldn't be included by default but rather only using a mechanism similar to one used to include trace attribute.

To clarify using a sample:

@RestController
class AppController {

        @GetMapping("/")
        String home() {
                throw new RuntimeException("Sample error message")
        }

}

Running this with Spring Boot CLI and hitting the home handler will yield:

HTTP/1.1 500 
Connection: close
Content-Type: application/json;charset=UTF-8
Date: Wed, 04 Jan 2017 16:34:22 GMT
Transfer-Encoding: chunked

{
    "error": "Internal Server Error", 
    "exception": "java.lang.RuntimeException", 
    "message": "Sample error message", 
    "path": "/", 
    "status": 500, 
    "timestamp": 1483547662254
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: supersededAn issue that has been superseded by another

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions