Do not return the exception message to the client for AuthenticationExceptions

2020-04-13 16:10:55 -04:00 · 2020-04-13 16:10:55 -04:00 · 8b4b4b4127
commit 8b4b4b4127
parent a8c3951c17
1 changed files with 8 additions and 9 deletions
--- a/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
+++ b/Emby.Server.Implementations/HttpServer/HttpListenerHost.cs
@ -269,25 +269,24 @@ namespace Emby.Server.Implementations.HttpServer

            httpRes.StatusCode = statusCode;

-            var errContent = NormalizeExceptionMessage(ex.Message);
+            var errContent = NormalizeExceptionMessage(ex) ?? string.Empty;
            httpRes.ContentType = "text/plain";
            httpRes.ContentLength = errContent.Length;
            await httpRes.WriteAsync(errContent).ConfigureAwait(false);
        }

-        private string NormalizeExceptionMessage(string msg)
+        private string NormalizeExceptionMessage(Exception ex)
        {
-            if (msg == null)
+            // Do not expose the exception message for AuthenticationException
+            if (ex is AuthenticationException)
            {
-                return string.Empty;
+                return null;
            }

            // Strip any information we don't want to reveal
-
-            msg = msg.Replace(_config.ApplicationPaths.ProgramSystemPath, string.Empty, StringComparison.OrdinalIgnoreCase);
-            msg = msg.Replace(_config.ApplicationPaths.ProgramDataPath, string.Empty, StringComparison.OrdinalIgnoreCase);
-
-            return msg;
+            return ex.Message
+                ?.Replace(_config.ApplicationPaths.ProgramSystemPath, string.Empty, StringComparison.OrdinalIgnoreCase)
+                .Replace(_config.ApplicationPaths.ProgramDataPath, string.Empty, StringComparison.OrdinalIgnoreCase);
        }

        /// <summary>