Error messages leak internal implementation details #172

New Issue

Closed

opened 2026-04-10 16:04:14 +02:00 by shahondin1624 · 0 comments

shahondin1624 commented 2026-04-10 16:04:14 +02:00

Owner

Copy Link

Copy Source

Severity: LOW

Location

Various controllers and services

Description

Some error responses include exception messages that could reveal internal implementation details (e.g., ImportController returns 'Bundle-Import fehlgeschlagen: ' . $e->getMessage()). While the handleAction trait method uses generic "Internal server error" messages, some controllers still have manual catch blocks that expose details.

Recommendation

Ensure all 500 responses use generic messages; log details server-side only.

## Severity: LOW ## Location Various controllers and services ## Description Some error responses include exception messages that could reveal internal implementation details (e.g., `ImportController` returns `'Bundle-Import fehlgeschlagen: ' . $e->getMessage()`). While the `handleAction` trait method uses generic "Internal server error" messages, some controllers still have manual catch blocks that expose details. ## Recommendation Ensure all 500 responses use generic messages; log details server-side only.

shahondin1624 added the backendsecuritypriority:low labels 2026-04-10 16:04:14 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:23:49 +02:00

fix: use generic error messages in ImportController 500 responses (Closes #172)

shahondin1624 referenced a pull request that will close this issue 2026-04-10 16:23:55 +02:00

fix: use generic error messages in ImportController 500 responses (Closes #172) #183

shahondin1624 closed this issue 2026-04-10 16:24:01 +02:00

shahondin1624 referenced this issue from a commit 2026-04-10 16:24:02 +02:00

fix: use generic error messages in ImportController 500 responses (Closes #172) (#183)

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/duplicate-sync-methods

fix/missing-database-transactions

fix/find-archived-filtering-in-memory

fix/n-plus-one-queries-member-list

v0.5.2

v0.3.2

v0.3.1

v0.3.0

v0.2.11

v0.2.10

v0.2.9

v0.2.8

v0.2.7

v0.2.6

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

Labels

Clear labels

backend

Backend / PHP work

bug

Bug report

database

Database migrations and schema

documentation

Documentation

enhancement

Enhancement or improvement

epic

Epic / feature-group issues

frontend

Frontend / Vue.js work

integration

Nextcloud integrations (Calendar, Contacts, Files)

priority:high

High priority

priority:low

Low priority

priority:medium

Medium priority

security

Security-related work

testing

Tests and test infrastructure

No Label backend priority:low security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

shahondin1624

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#172