Feature: #89978 - Introduce Status Report for insecure exception handler settings¶
See forge#89978
Description¶
When using a debug exception handler in production (either by configuring it explicitly or by using the wrong application context) stack traces may disclose information. To avoid such setups a new status report has been introduced that warns administrators if a debug exception handler is configured.
Impact¶
To mitigate the information disclosure, a new status report has been introduced:
if display errors is set to 1 (-> uses DebugExceptionHandler setting) and context is Production, an Error is displayed
if display errors is set to 1 (-> uses DebugExceptionHandler setting) and context is Development, a Warning is displayed
if the production exception handler setting is configured to use the DebugExceptionHandler, an Error is displayed