This is an automated email from the ASF dual-hosted git repository.
rgoers pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/logging-flume.git
The following commit(s) were added to refs/heads/trunk by this push:
new ce667d2e5 Don't leak exception details in `HTTPSource` responses (#442)
ce667d2e5 is described below
commit ce667d2e536d6710104f7f2037d52bd61458a621
Author: Piotr P. Karwasz <[email protected]>
AuthorDate: Fri Jun 5 23:08:51 2026 +0200
Don't leak exception details in `HTTPSource` responses (#442)
`HTTPSource` appended `ex.getMessage()` to its HTTP error responses, which
can disclose internal implementation details to clients. The exceptions are
already logged server-side, so return a generic message per status code and
keep the detail in the logs only.
Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>
---
.../main/java/org/apache/flume/source/http/HTTPSource.java | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git
a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
index bc25a020f..3f32b59f2 100644
--- a/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
+++ b/flume-ng-core/src/main/java/org/apache/flume/source/http/HTTPSource.java
@@ -234,16 +234,13 @@ public class HTTPSource extends
SslContextAwareAbstractSource implements
} catch (HTTPBadRequestException ex) {
LOG.warn("Received bad request from client. ", ex);
sourceCounter.incrementEventReadFail();
- response.sendError(HttpServletResponse.SC_BAD_REQUEST,
- "Bad request from client. "
- + ex.getMessage());
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Bad request
from client.");
return;
} catch (Exception ex) {
LOG.warn("Deserializer threw unexpected exception. ", ex);
sourceCounter.incrementEventReadFail();
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- "Deserializer threw unexpected exception. "
- + ex.getMessage());
+ "Deserializer threw unexpected exception.");
return;
}
sourceCounter.incrementAppendBatchReceivedCount();
@@ -256,15 +253,13 @@ public class HTTPSource extends
SslContextAwareAbstractSource implements
+ "capacity or make sure the sinks perform faster.", ex);
sourceCounter.incrementChannelWriteFail();
response.sendError(HttpServletResponse.SC_SERVICE_UNAVAILABLE,
- "Error appending event to channel. Channel might be full."
- + ex.getMessage());
+ "Error appending event to channel. Channel might be full.");
return;
} catch (Exception ex) {
LOG.warn("Unexpected error appending event to channel. ", ex);
sourceCounter.incrementGenericProcessingFail();
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
- "Unexpected error while appending event to channel. "
- + ex.getMessage());
+ "Unexpected error while appending event to channel.");
return;
}
response.setCharacterEncoding(request.getCharacterEncoding());
