API: Handle permission exceptions soon enough, returning 404

author Michael Friedrich <michael.friedrich@icinga.com>

Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)

committer Michael Friedrich <michael.friedrich@icinga.com>

Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)
author Michael Friedrich <michael.friedrich@icinga.com>
Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)
committer Michael Friedrich <michael.friedrich@icinga.com>
Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)
diff --git a/lib/remote/httphandler.cpp b/lib/remote/httphandler.cpp

index 78e09d2ade12c921d4aacb943e8fba5f0c193f8c..8cfe4ae5cf7e9fc31017ffaa69bd58750a2893f5 100644 (file)
--- a/lib/remote/httphandler.cpp
+++ b/lib/remote/httphandler.cpp
@@ -98,11 +98,22 @@ void HttpHandler::ProcessRequest(
         }
  
         bool processed = false;
-       for (const HttpHandler::Ptr& handler : handlers) {
-               if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
-                       processed = true;
-                       break;
+
+       /*
+        * HandleRequest may throw a permission exception.
+        * DO NOT return a specific permission error. This
+        * allows attackers to guess from words which objects
+        * do exist.
+        */
+       try {
+               for (const HttpHandler::Ptr& handler : handlers) {
+                       if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
+                               processed = true;
+                               break;
+                       }
                 }
+       } catch (const std::exception&) {
+               processed = false;
         }
  
         if (!processed) {
author	Michael Friedrich <michael.friedrich@icinga.com>
	Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)
committer	Michael Friedrich <michael.friedrich@icinga.com>
	Mon, 23 Sep 2019 07:48:50 +0000 (09:48 +0200)