From 712d1cdd1e8f87aac864f86877b34f2a4f552494 Mon Sep 17 00:00:00 2001
From: Franz Liedke <franz@develophp.org>
Date: Fri, 21 Sep 2018 23:33:28 +0200
Subject: [PATCH] Display only exception messages during booting

By not letting PHP render the stack trace, we prevent displaying
sensitive information (such as the database credentials). Instead,
we display a simple line with the exception message.

In the console, the full exception can still be shown, as that is
a tool only for forum admins anyway.

Fixes #1421.
---
 framework/core/src/Http/Server.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/framework/core/src/Http/Server.php b/framework/core/src/Http/Server.php
index 9c9e36ee8..b48a5e531 100644
--- a/framework/core/src/Http/Server.php
+++ b/framework/core/src/Http/Server.php
@@ -31,7 +31,7 @@ class Server
 
     public function listen()
     {
-        $app = $this->site->bootApp();
+        $app = $this->safelyBootApp();
 
         $runner = new RequestHandlerRunner(
             $app->getRequestHandler(),
@@ -45,4 +45,18 @@ class Server
         );
         $runner->run();
     }
+
+    /**
+     * Try to boot Flarum, and prevent exceptions from exposing sensitive info.
+     *
+     * @return \Flarum\Foundation\AppInterface
+     */
+    private function safelyBootApp()
+    {
+        try {
+            return $this->site->bootApp();
+        } catch (Throwable $e) {
+            exit('Error booting Flarum: '.$e->getMessage());
+        }
+    }
 }