You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/04/10 16:01:12 UTC
[Bug 56383] New: Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Bug ID: 56383
Summary: Securing ErrorReportValve
Product: Tomcat 7
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: thrain123@gmail.com
Created attachment 31507
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31507&action=edit
Patch for ErrorReportValve
When the default error valve returns its report it publishes the tomcat version
and some other troubleshooting data. This of course breaks security standards
at some companies and also is published as a item that needs to be remediated
when hardening tomcat(OWASP - goo.gl/Zr9xso ). When using the OWASP solution of
replacing the serverInfo.properties file it can and will break tools/code that
uses that information.
Attached is the proposed enhancement to be able switch options to show minimal
information back.
By adding the below will only return a html page with only the status. No CSS
or title
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
Currently, default is true for both so if users still want to see the current
report nothing will have to change in there server.xml
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Violeta Georgieva <vi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |polina.genova@gmail.com
--- Comment #10 from Violeta Georgieva <vi...@apache.org> ---
*** Bug 52751 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #8 from Konstantin Kolinko <kn...@gmail.com> ---
When both showServerInfo and showReport are false, the generated HTML will have
no <title> element. If I remember the specs correctly a <title> is required.
A good alternative will be
sb.append(smClient.getString("errorReportValve.statusHeader",
String.valueOf(statusCode), message))
// errorReportValve.statusHeader=HTTP Status {0} - {1}
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #9 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Konstantin Kolinko from comment #8)
Fixed, will be in 8.0.6 and 7.0.54.
I went with the standard title "Error report".
When I tried repeating the header text in the title, it looked bad for 404
errors.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
--- Comment #6 from Nick Bunn <th...@gmail.com> ---
My first patch did actually keep the css. However, after talking more with my
team at work and looking at what the TomEE team has done(doesn't have css as
well), it was determined if i left it you would then know its tomcat so you
would still have a possible security issue.
I just want to note you have to set both settings to false to remove the css.
if you just disable the version you will see the css for the report part.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|Securing ErrorReportValve |Securing ErrorReportValve
| |[PATCH]
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
--- Comment #5 from Violeta Georgieva <vi...@apache.org> ---
Hi,
I see that you are removing the CSS when showReport is false. Why is that?
When showServerInfo is false you are removing the whole footer. Why is that?
You can remove only the text so that the page stays with the same look and
feel.
Regards
Violeta
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Nick Bunn <th...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #31507|0 |1
is obsolete| |
--- Comment #2 from Nick Bunn <th...@gmail.com> ---
Created attachment 31510
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31510&action=edit
Patch for ErrorReportValve_02
Added
*Getter methods
*Exposed new attributes via JMX?
*Updated Documentation
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Nick Bunn <th...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #31510|0 |1
is obsolete| |
--- Comment #3 from Nick Bunn <th...@gmail.com> ---
Created attachment 31529
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31529&action=edit
Patch for ErrorReportValve_03
Changed the variables to protected from private
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Nick Bunn <th...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |thrain123@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Violeta Georgieva <vi...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Violeta Georgieva <vi...@apache.org> ---
Thanks for the report and the patch. This has been fixed in trunk for 8.0.6 and
in 7.0.x for 7.0.54 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #31507|0 |1
is patch| |
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve [PATCH]
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
--- Comment #4 from Nick Bunn <th...@gmail.com> ---
Do i need to provide a patch for tomcat 6 and 8?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> ---
Comment on attachment 31507
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31507
Patch for ErrorReportValve
1. Add getter methods?
2. Expose new attributes via JMX?
(Update mbeans-descriptors.xml file in the same package)
3. Documentation?
(Update webapps/docs/config/valve.xml. A bit more work than usually, because
ErrorReporValve is not documented there at all)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org