BUGFIX Don't allow HTML formatting in RequestHandler->httpError() by sending "Content-Type: text/plain" response headers. (from r114444)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.4@114445 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Ingo Schommer 2010-12-02 18:11:18 +00:00 committed by Sam Minnee
parent 30e3f08efb
commit f79c6aeb83
2 changed files with 7 additions and 4 deletions

View File

@ -301,11 +301,16 @@ class RequestHandler extends ViewableData {
* {@link RequestHandler::handleAction()} and returned to the user. * {@link RequestHandler::handleAction()} and returned to the user.
* *
* @param int $errorCode * @param int $errorCode
* @param string $errorMessage * @param string $errorMessage Plaintext error message
* @uses SS_HTTPResponse_Exception * @uses SS_HTTPResponse_Exception
*/ */
public function httpError($errorCode, $errorMessage = null) { public function httpError($errorCode, $errorMessage = null) {
throw new SS_HTTPResponse_Exception($errorMessage, $errorCode); $e = new SS_HTTPResponse_Exception($errorMessage, $errorCode);
// Error responses should always be considered plaintext, for security reasons
$e->getResponse()->addHeader('Content-Type', 'text/plain');
throw $e;
} }
/** /**

View File

@ -1,8 +1,6 @@
<?php <?php
require_once 'TestRunner.php'; require_once 'TestRunner.php';
PhpUnitWrapper::inst()->init();
/** /**
* Test case class for the Sapphire framework. * Test case class for the Sapphire framework.
* Sapphire unit testing is based on PHPUnit, but provides a number of hooks into our data model that make it easier to work with. * Sapphire unit testing is based on PHPUnit, but provides a number of hooks into our data model that make it easier to work with.