Login

donpwinston · 03-27-2024, 06:17 AM

(03-27-2024, 04:26 AM)donpwinston Wrote: It appears CI4.4.3 is setting a 5XX status code for SecurityExceptions. My security people are complaining about this. They (unbelievably) have classified it as a HIGH/cat 1 severity security vulnerability. I think my apps(5 of them) have been doing this for a few years but all of a sudden they are flagging this now for some reason. (They do regular probing of our apps every Sunday)
How can I change this?
I set

PHP Code:
seurity.redirect = true
in the .env file but I think that only applies to CSRF SecurityExceptions. I throw a bunch of them in several filters I use to counter other security vulnerabilities my security people have told me to fix. I suppose I could throw some other kind of exception but I'd rather not.

Looking at the SecurityException class the disallowedAction is supposed to be a 403. So my SecurityException invocations should not be setting the status code to 5xx.

What else could be?

I edited App/Config/Exceptions and replaced the exception handler with a customized SecureExceptionHandler. For status codes 500 and above I set it to 418 or 403.

I don't like doing this because I'll have to check it after every upgrade to see if anything changed. ExceptionHandler is a final class. I can't subclass it. I can only just copy it.

Simpler is always better