Don't include full path of error messages in OONI explorer's error page
We got a HackerOne report by yox about a full path disclosure on OONI explorer error page:
https://explorer.ooni.torproject.org//x
Impact
This security vulnerability could potentially allow a malicious hacker to map an attack against internal systems. For example, if this were to be chained with another vulnerability such as path traversal; it may lead to compromise of internal systems.
Mitigation
Typically these sort of errors occur from incorrect data types, in this case it seems like it is just a simple 404 page which is however leaking too much information to the user.
A best practice method is to log these type of errors to a local text file, while showing the user a friendly 404 message. This is often achieved by disabling error reporting on the application side.