From f419efd778f3f9114b21ededba481b74998bb7e4 Mon Sep 17 00:00:00 2001
From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Mon, 23 Sep 2019 09:48:50 +0200
Subject: [PATCH] API: Handle permission exceptions soon enough, returning 404

fixes #7513
---
 lib/remote/httphandler.cpp | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/lib/remote/httphandler.cpp b/lib/remote/httphandler.cpp
index 78e09d2ad..8cfe4ae5c 100644
--- a/lib/remote/httphandler.cpp
+++ b/lib/remote/httphandler.cpp
@@ -98,11 +98,22 @@ void HttpHandler::ProcessRequest(
 	}
 
 	bool processed = false;
-	for (const HttpHandler::Ptr& handler : handlers) {
-		if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
-			processed = true;
-			break;
+
+	/*
+	 * HandleRequest may throw a permission exception.
+	 * DO NOT return a specific permission error. This
+	 * allows attackers to guess from words which objects
+	 * do exist.
+	 */
+	try {
+		for (const HttpHandler::Ptr& handler : handlers) {
+			if (handler->HandleRequest(stream, user, request, url, response, params, yc, server)) {
+				processed = true;
+				break;
+			}
 		}
+	} catch (const std::exception&) {
+		processed = false;
 	}
 
 	if (!processed) {
-- 
2.40.0