[
https://issues.apache.org/jira/browse/THRIFT-727?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14519854#comment-14519854
]
Jens Geyer edited comment on THRIFT-727 at 4/29/15 6:08 PM:
------------------------------------------------------------
If the API is public, everybody can call it. If we understand
{{RESULTS_OF_OBJ_DUMP}} as what it describes, a dump of some data, anybody
programming against that API will see that data. Dump data are by definition
potentially security relevant, because by definition you don't know what people
are going to do with Thrift.
{quote}
How much that information will be finally shown to end-user - that's the
decision of developer
{quote}
Sure, people will still continue to make dumb mistakes (often because they
don't know better or because they don't care), but we should not "help" them by
[shipping with insecure
defaults|http://en.wikipedia.org/wiki/Secure_by_default], like dumping unknown
data into error messages.
was (Author: jensg):
If the API is public, everybody can call it. If we understand
{{RESULTS_OF_OBJ_DUMP}} as what it describes, a dump of some data, anybody
programming against that API will see that data. Dump data are by definition
potentially security relevant, because by definition you don't know what people
are going to do with Thrift.
{quote}
How much that information will be finally shown to end-user - that's the
decision of developer
{quote}
Sure, people will still continue to make dumb mistakes (in fact, a lot of them
do), but we should not "help" them by [shipping with insecure
defaults|http://en.wikipedia.org/wiki/Secure_by_default], like dumping unknown
data into error messages.
> support native language specific exception message
> --------------------------------------------------
>
> Key: THRIFT-727
> URL: https://issues.apache.org/jira/browse/THRIFT-727
> Project: Thrift
> Issue Type: Improvement
> Components: Compiler (General)
> Affects Versions: 0.2
> Environment: all
> Reporter: Ping Li
> Priority: Minor
>
> The current exception implement requires the error message to be declared and
> referenced explicitly, especially when it's sent from server to the client.
> On client side, this error message cannot be accessed via a native API like
> exception::what() in C++.
> Example,
> {code}
> exception MyException {
> 1: i32 code;
> 2: string message;
> }
> {code}
> On client side, it can only be accessed like this,
> {code}
> try {
> server->someMethod();
> } catch (MyException &e) {
> cout << "MyException: " << e.message << endl; // this will print the
> exception message
> cout << "MyException: " << e.what() << endl; // this will print
> TException::Default
> }
> {code}
> At the same time, if TException::message_ is initialized, exception::what()
> does work when the exception is caught locally.
> It's a little confusing when to use the native method, and when to use Thrift
> exception message data member.
> It'll be really nice if all exception messages can be accessed the same way
> thru the navtive language on client side.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
