1 files changed, 115 insertions, 1 deletions

diff --git a/modules/gallery/libraries/MY_Kohana_Exception.php b/modules/gallery/libraries/MY_Kohana_Exception.php
index 1c40091a..1712d895 100644
--- a/modules/gallery/libraries/MY_Kohana_Exception.php
+++ b/modules/gallery/libraries/MY_Kohana_Exception.php
@@ -33,6 +33,120 @@ class Kohana_Exception extends Kohana_Exception_Core {
     if ($e instanceof ORM_Validation_Exception) {
       Kohana_Log::add("error", "Validation errors: " . print_r($e->validation->errors(), 1));
     }
-    return parent::handle($e);
+    try {
+      $user = identity::active_user();
+      $try_themed_view = $user && !$user->admin;
+    } catch (Exception $e2) {
+      $try_themed_view = false;
+    }
+
+    if ($try_themed_view) {
+      try {
+        return self::_show_themed_error_page($e);
+      } catch (Exception $e3) {
+        Kohana_Log::add("error", "Exception in exception handling code: " . self::text($e3));
+        return parent::handle($e);
+      }
+    } else {
+      return parent::handle($e);
+    }
+  }
+
+  /**
+   * Shows a themed error page.
+   * @see Kohana_Exception::handle
+   */
+  private static function _show_themed_error_page(Exception $e) {
+    // Create a text version of the exception
+    $error = Kohana_Exception::text($e);
+    
+    // Add this exception to the log
+    Kohana_Log::add('error', $error);
+
+    // Manually save logs after exceptions
+    Kohana_Log::save();
+
+    if (!headers_sent()) {
+      if ($e instanceof Kohana_Exception) {
+        $e->sendHeaders();
+      } else {
+        header("HTTP/1.1 500 Internal Server Error");
+      }
+    }
+
+    $view = new Theme_View("page.html", "other", "error");
+    if ($e instanceof Kohana_404_Exception) {
+      $view->page_title = t("Dang...  Page not found!");
+      $view->content = new View("error_404.html");
+      $user = identity::active_user();
+      $view->content->is_guest = $user && $user->guest;
+      if ($view->content->is_guest) {
+        $view->content->login_form = new View("login_ajax.html");
+        $view->content->login_form->form = auth::get_login_form("login/auth_html");
+        // Avoid anti-phishing protection by passing the url as session variable.
+        Session::instance()->set("continue_url", url::current(true));
+      }
+    } else {
+      $view->page_title = t("Dang...  Something went wrong!");
+      $view->content = new View("error.html");
+    }
+    print $view;
+  }
+
+  /**
+   * @see Kohana_Exception::dump()
+   */
+  public static function dump($value, $length=128, $max_level=5) {
+    return self::safe_dump($value, null, $length, $max_level);
+  }
+
+  /**
+   * A safer version of dump(), eliding sensitive information in the dumped
+   * data, such as session ids and passwords / hashes.
+   */
+  public static function safe_dump($value, $key, $length=128, $max_level=5) {
+    return parent::dump(self::_sanitize_for_dump($value, $key), $length, $max_level);
+  }
+
+  /**
+   * Elides sensitive data which shouldn't be echoed to the client,
+   * such as passwords, and other secrets.
+   */
+  /* Visible for testing*/ static function _sanitize_for_dump($value, $key=null) {
+    // Better elide too much than letting something through.
+    // Note: unanchored match is intended.
+    $sensitive_info_pattern =
+      '/(password|pass|email|hash|private_key|session_id|session|g3sid|csrf|secret)/i';
+    if (preg_match($sensitive_info_pattern, $key) ||
+        (is_string($value) && preg_match('/[a-f0-9]{20,}/i', $value))) {
+      return 'removed for display';
+    } else if (is_object($value)) {
+      if ($value instanceof Database) {
+        // Elide database password, host, name, user, etc.
+        return get_class($value) . ' object - details omitted for display';
+      } else if ($value instanceof User_Model) {
+        return get_class($value) . ' object for "' . $value->name . '" - details omitted for display';
+      }
+      return self::_sanitize_for_dump((array) $value, $key);
+    } else if (is_array($value)) {
+      $result = array();
+      foreach ($value as $k => $v) {
+        $actual_key = $k;
+        $key_for_display = $k;
+        if ($k[0] === "\x00") {
+          // Remove the access level from the variable name
+          $actual_key = substr($k, strrpos($k, "\x00") + 1);
+          $access = $k[1] === '*' ? 'protected' : 'private';
+          $key_for_display = "$access: $actual_key";
+        }
+        if (is_object($v)) {
+          $key_for_display .= ' (type: ' . get_class($v) . ')';
+        }
+        $result[$key_for_display] = self::_sanitize_for_dump($v, $actual_key);
+      }
+    } else {
+      $result = $value;
+    }
+    return $result;
   }
 }
\ No newline at end of file