From 13be8e6dfb81df87a6e3efefff009f690063260b Mon Sep 17 00:00:00 2001 From: Alex Gustafsson Date: Fri, 16 Jan 2026 12:20:10 +0100 Subject: [PATCH] fix: don't expose JWT-related errors (#4892) The share / public router would expose the parse error of JWTs when serving images, leading to unnecesasry information disclosure. Replace any error with a generic "invalid request" as is already done when serving the streams themselves. --- server/public/handle_images.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/public/handle_images.go b/server/public/handle_images.go index 6de44ddd..5b1194cc 100644 --- a/server/public/handle_images.go +++ b/server/public/handle_images.go @@ -35,7 +35,7 @@ func (pub *Router) handleImages(w http.ResponseWriter, r *http.Request) { artId, err := decodeArtworkID(id) if err != nil { log.Error(r, "Error decoding artwork id", "id", id, err) - http.Error(w, err.Error(), http.StatusBadRequest) + http.Error(w, "invalid request", http.StatusBadRequest) return } size := p.IntOr("size", 0)