Avoid disclosing IP addresses in unauthenticated requests (#10579)

* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

* removing extra information from the returned error, to avoid leaking it to unauthenticated requests

* Change the error message in a way that is retains the HTTP status code

Co-authored-by: bruj0 <[email protected]>

Author: sgmiller

http/logical.go

@@ -112,13 +112,17 @@ func buildLogicalRequestNoAuth(perfStandby bool, w http.ResponseWriter, r *http.
 			// and an incorrect content-type).
 			head, err := bufferedBody.Peek(512)
 			if err != nil && err != bufio.ErrBufferFull && err != io.EOF {
-				return nil, nil, http.StatusBadRequest, err
+				status := http.StatusBadRequest
+				logical.AdjustErrorStatusCode(&status, err)
+				return nil, nil, status, fmt.Errorf("error reading data")
 			}
 
 			if isForm(head, r.Header.Get("Content-Type")) {
 				formData, err := parseFormRequest(r)
 				if err != nil {
-					return nil, nil, http.StatusBadRequest, fmt.Errorf("error parsing form data: %w", err)
+					status := http.StatusBadRequest
+					logical.AdjustErrorStatusCode(&status, err)
+					return nil, nil, status, fmt.Errorf("error parsing form data")
 				}
 
 				data = formData
@@ -129,7 +133,9 @@ func buildLogicalRequestNoAuth(perfStandby bool, w http.ResponseWriter, r *http.
 					err = nil
 				}
 				if err != nil {
-					return nil, nil, http.StatusBadRequest, err
+					status := http.StatusBadRequest
+					logical.AdjustErrorStatusCode(&status, err)
+					return nil, nil, status, fmt.Errorf("error parsing JSON")
 				}
 			}
 		}