Uploaded image for project: 'Community Edition'
  1. Community Edition
  2. MGNLCE-292

Provide default error page not disclosing server info

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Neutral
    • None
    • None
    • None

    Description

      Default Tomcat error page discloses error stacktrace (if any). That's great during development, but causes issues in production where it can be used by attacker of the system to gain knowledge about internals of the product and how it responds to errors. Hence the practice it frowned upon by security experts.

      We should change default value in shipped web.xml so that the information is not disclosed. Devs should rely on log files for errors instead.

      As of Servlet 3.0 spec we could simply set one generic page for all (while keeping more specific ones for specific errors where desirable).

      <error-page>
          <location>/errorpages/generic.html</location>
      </error-page>

       

      Alternatively (spec 2.5) we could also try to set page for generic exception, but would need to test behavior when combined with error codes. Not sure what takes the precedence:

      <error-page>
          <exception-type>java.lang.Exception</exception-type>
          <location>/errorpages/exception.html</location>
      </error-page>

       

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                Unassigned Unassigned
                had Jan Haderka
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:

                  Checklists

                    Task DoD