Jump to content

Suppressing “command line API” error messages (AJAX/XHR)


Jan Romero
 Share

Recommended Posts

Hi. This is kind of a dumb question, but I’ve been searching for days and couldn’t find an answer.

I’m using an XMLHttpRequest to fetch some JSON from a page. This works as expected as long as I don’t send the header X-Requested-With: XMLHttpRequest. With the header, ProcessWire decides that I’m using the command line API and if something goes wrong, it shows detailed error messages to guest users (“This error message was shown because: you are using the command line API”). I appreciate that when debugging, but it would be nice if I could limit it to just superusers. Is there a setting for this?

Thanks

Link to comment
Share on other sites

18 hours ago, horst said:

CLI itself only is for superusers

But ProcessWire’s WireShutdown class considers everything hitting it with X-Requested-With: XMLHttpRequest to be CLI use. The way I see it, from a security perspective that makes the differentiation between public and detailed error messages completely useless: if you’re shown the public error, you can just resend the request with the header and any PW installation will gladly tell all.

It kinda didn’t occur to me to even look through the source, because I figured something like this would have a prominent setting somewhere, but now I think it just might be a bug?

WireShutdown does this:

$useHTML = isset($_SERVER['HTTP_HOST']); // is this an HTTP request where we can output HTML?

[…]

// use text-only output if an http request that is ajax
if($useHTML && $config->ajax) $useHTML = false;

[…]

if($config->debug) {
	$why = $this->labels['debug-mode'] . " (\$config->debug = true; => /site/config.php).";
} else if(!$useHTML) {
	$why = $this->labels['cli-mode'];
}

[…]

if($why) {
	$why = $this->labels['shown-because'] . " $why $who";
	$message = $this->amendErrorMessage($message);
	$this->sendErrorMessage($message, $why, $useHTML);
} else {
	$this->sendFatalError($who, $useHTML);
}

So for this purpose, sending two headers in your request is essentially equivalent to the site being in debug mode. That can’t be right?

  • Like 2
Link to comment
Share on other sites

13 hours ago, Jan Romero said:

now I think it just might be a bug?

I think you should open an issue for this at GitHub. In WireShutdown the combination of...

// use text-only output if an http request that is ajax
if($useHTML && $config->ajax) $useHTML = false;

...and...

} else if(!$useHTML) {
	$why = $this->labels['cli-mode'];
}

...means that every AJAX request is wrongly treated as being CLI mode.

  • Like 3
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...