Don't expose exception error attribute by default
#8971
Conversation
spring-projects-issues
added
the
status: waiting-for-triage
| @@ -64,6 +66,12 @@ | |||
| private static final String ERROR_ATTRIBUTE = DefaultErrorAttributes.class.getName() | |||
| + ".ERROR"; | |||
|
|
|||
| private boolean includeException; | |||
There was a problem hiding this comment.
Shouldn't this be a constructor instead?
There was a problem hiding this comment.
Yes, I'd also prefer that. Just went with more passive approach initially, will update this.
| @@ -94,7 +102,7 @@ private void storeErrorAttributes(HttpServletRequest request, Exception ex) { | |||
| private void addStatus(Map<String, Object> errorAttributes, | |||
| RequestAttributes requestAttributes) { | |||
| Integer status = getAttribute(requestAttributes, | |||
| "javax.servlet.error.status_code"); | |||
| RequestDispatcher.ERROR_STATUS_CODE); | |||
There was a problem hiding this comment.
That looks like an unrelated change to me.
There was a problem hiding this comment.
Yes, that's what I was referring to in the opening comment:
I've also changed DefaultErrorAttributes to use RequestDispatcher constants instead of String literals for standard attribute names.
Should I open a separate PR to address this?
There was a problem hiding this comment.
We have a few places where we've avoided referencing RequestDispatcher directly to help with Servlet 2.5 compatibility. My preference would be to take care of all of them in a single, separate change.
There was a problem hiding this comment.
OK - at which branch should I target that change?
There was a problem hiding this comment.
Against master, please. But only if you're feeling particularly generous; it's not the most exciting of changes :)
| @@ -180,9 +177,21 @@ private void testBindingResult(BindingResult bindingResult, Exception ex) { | |||
| } | |||
|
|
|||
| @Test | |||
| public void exception() throws Exception { | |||
There was a problem hiding this comment.
Perhaps that method name could be a bit more explicit?
|
I've updated the PR to address the comments. |
snicoll
added
priority: normal
type: enhancement
* pr/8971: Polish "Do not expose `exception` error attribute by default" Do not expose `exception` error attribute by default
|
This has failed the build ( |
This resolves #7872 by introducing
server.error.include-exceptionconfiguration property which defaults tofalse.I've also changed
DefaultErrorAttributesto useRequestDispatcherconstants instead ofStringliterals for standard attribute names.