- Affected version
- 2.2.12
If code (incorrectly) does this:
Instead the XF error page will throw "Object of class XF\Mvc\Reply\View could not be converted to string", converting what was a user facing error message into a hard error, while obscure the original message
Ideally
Code:
throw $this->errorException($this->noPermission())errorException has no type hints to indicate It's type signature is actually string|string[]|Stringable|Stringable[], so passing it the result of noPermission doesn't cause any errors or hints that it has the wrong type. Instead the XF error page will throw "Object of class XF\Mvc\Reply\View could not be converted to string", converting what was a user facing error message into a hard error, while obscure the original message
Ideally
XF\Mvc\Reply\Reply\Error or somewhere in the callchain of errorException should validate the array elements (or singular item) is a string, or something which has a _toString method. Sadly a direct type hint on Stringable is php 8+ only.
