From c63273afd1777ac449831468e16e748cfc237949 Mon Sep 17 00:00:00 2001 From: tomaioo Date: Wed, 15 Apr 2026 05:21:36 -0700 Subject: [PATCH] fix(security): raw exception messages are returned to clients in In `afterException`, the middleware returns `$exception->getMessage()` to the client for `NoSuchFormException`. If exception messages include internal identifiers, query context, or untrusted input, this can lead to information disclosure and potentially reflected content issues in consuming clients. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- lib/Middleware/ThrottleFormAccessMiddleware.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/Middleware/ThrottleFormAccessMiddleware.php b/lib/Middleware/ThrottleFormAccessMiddleware.php index 2379d638e..54a9012f2 100644 --- a/lib/Middleware/ThrottleFormAccessMiddleware.php +++ b/lib/Middleware/ThrottleFormAccessMiddleware.php @@ -25,7 +25,7 @@ public function afterException(Controller $controller, string $methodName, Excep } $response = new DataResponse( - $exception->getMessage(), + 'Form not found', $exception->getCode(), ); $response->throttle(['action' => 'form']);