From e99f664580b359bb17a1470ef591035cefad4230 Mon Sep 17 00:00:00 2001
From: Carl Schwan <carlschwan@kde.org>
Date: Mon, 4 May 2026 10:54:56 +0200
Subject: [PATCH] fix: Prevent error page to display arbitrary error messages

fix: Prevent error page to display arbitrary error messages

Signed-off-by: Carl Schwan <carlschwan@kde.org>

[skip ci]
---
 lib/AppInfo/Application.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
index 167700f31..398a96b9f 100644
--- a/lib/AppInfo/Application.php
+++ b/lib/AppInfo/Application.php
@@ -10,6 +10,7 @@
 namespace OCA\User_SAML\AppInfo;
 
 use OC\Security\CSRF\CsrfTokenManager;
+use OC\User\DisabledUserException;
 use OC\User\LoginException;
 use OC_User;
 use OCA\DAV\Events\SabrePluginAddEvent;
@@ -128,12 +129,14 @@ public function boot(IBootContext $context): void {
 						if ($request->getPathInfo() === '/apps/user_saml/saml/error') {
 							return;
 						}
+						/** @psalm-suppress UndefinedClass */
 						$targetUrl = $urlGenerator->linkToRouteAbsolute(
 							'user_saml.SAML.genericError',
 							[
-								'message' => $e->getMessage()
+								'reason' => $e instanceof DisabledUserException ? 'userDisabled' : 'authFailed',
 							]
 						);
+						$logger->error('Login failure', ['exception' => $e]);
 						header('Location: ' . $targetUrl);
 						exit();
 					}
@@ -151,7 +154,7 @@ public function boot(IBootContext $context): void {
 						$targetUrl = $urlGenerator->linkToRouteAbsolute(
 							'user_saml.SAML.genericError',
 							[
-								'message' => $l10n->t('This user account is disabled, please contact your administrator.')
+								'reason' => 'userDisabled',
 							]
 						);
 						header('Location: ' . $targetUrl);