ErrorValve enhancement

[Nick Bunn <th...@gmail.com>]

Good Day,
As i'm sure you are all aware when the default error valve returns its
report it publishes the tomcat version and some other troubleshooting data.
This of course breaks one of my securities teams rules and also is
published as a item that needs to be remediated when hardening tomcat(OWASP
- goo.gl/Zr9xso ). When using the OWASP solution of replacing the
serverInfo.properties file it can and will break tools/code that uses that
information(in my case our deployment agent). The other two solutions are
to create our own valve and just change it to the default error valve or
override the status code at the HTTPD server(which broke our JSON and SOAP
requests that were providing valid 4XX and 5XX). That being said why not
just have the capability to disable this information in the current error
valve? This way we are not requiring users to override there
serverinfo.properties or create some customer error valve they will have to
maintain. Thoughts?

Attached is the a simple patch to version 7.0.x. Can easily be ported to
8.0.x as not much as changed. You would then just add the below to your
server.xml

<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />

Thanks,
Nick Bunn

Re: ErrorValve enhancement

[Nick Bunn <th...@gmail.com>]

Chris,
Done (Bug 56383 <https://issues.apache.org/bugzilla/show_bug.cgi?id=56383>).
I didn't know if we needed to talk about it first since it was a
enhancement. On another note do i need to make another bug for Tomcat 8 or
if this one gets excepted it will be ported over? What about documentation?
Does a patch for the site need to be included in the bug report as well?

Thanks,
Nick Bunn


On Thu, Apr 10, 2014 at 2:17 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> Nick,
>
> Please file a Bugzilla bug and attach your patch to it.
>
> -chris
>
> On 4/9/14, 10:36 AM, Nick Bunn wrote:
> > Good Day,
> > As i'm sure you are all aware when the default error valve returns its
> > report it publishes the tomcat version and some other troubleshooting
> > data. This of course breaks one of my securities teams rules and also is
> > published as a item that needs to be remediated when hardening
> > tomcat(OWASP - goo.gl/Zr9xso <http://goo.gl/Zr9xso> ). When using the
> > OWASP solution of replacing the serverInfo.properties file it can and
> > will break tools/code that uses that information(in my case our
> > deployment agent). The other two solutions are to create our own valve
> > and just change it to the default error valve or override the status
> > code at the HTTPD server(which broke our JSON and SOAP requests that
> > were providing valid 4XX and 5XX). That being said why not just have the
> > capability to disable this information in the current error valve? This
> > way we are not requiring users to override there serverinfo.properties
> > or create some customer error valve they will have to maintain. Thoughts?
> >
> > Attached is the a simple patch to version 7.0.x. Can easily be ported to
> > 8.0.x as not much as changed. You would then just add the below to your
> > server.xml
> >
> > <Valve className="org.apache.catalina.valves.ErrorReportValve"
> > showReport="false" showServerInfo="false" />
> >
> >
> > Thanks,
> > Nick Bunn
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>


-- 
Thanks,
Nick Bunn

Re: ErrorValve enhancement

[Christopher Schultz <ch...@christopherschultz.net>]

Nick,

Please file a Bugzilla bug and attach your patch to it.

-chris

On 4/9/14, 10:36 AM, Nick Bunn wrote:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting
> data. This of course breaks one of my securities teams rules and also is
> published as a item that needs to be remediated when hardening
> tomcat(OWASP - goo.gl/Zr9xso <http://goo.gl/Zr9xso> ). When using the
> OWASP solution of replacing the serverInfo.properties file it can and
> will break tools/code that uses that information(in my case our
> deployment agent). The other two solutions are to create our own valve
> and just change it to the default error valve or override the status
> code at the HTTPD server(which broke our JSON and SOAP requests that
> were providing valid 4XX and 5XX). That being said why not just have the
> capability to disable this information in the current error valve? This
> way we are not requiring users to override there serverinfo.properties
> or create some customer error valve they will have to maintain. Thoughts?
> 
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
> 
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
> 
> 
> Thanks,
> Nick Bunn
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 

Re: ErrorValve enhancement

[Romain Manni-Bucau <rm...@gmail.com>]

Hi

for this kind of reason we included in tomee
http://svn.apache.org/repos/asf/tomee/tomee/trunk/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java

would be great to get it in tomcat OOTB.

Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-04-09 18:36 GMT+02:00 Nick Bunn <th...@gmail.com>:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting data.
> This of course breaks one of my securities teams rules and also is published
> as a item that needs to be remediated when hardening tomcat(OWASP -
> goo.gl/Zr9xso ). When using the OWASP solution of replacing the
> serverInfo.properties file it can and will break tools/code that uses that
> information(in my case our deployment agent). The other two solutions are to
> create our own valve and just change it to the default error valve or
> override the status code at the HTTPD server(which broke our JSON and SOAP
> requests that were providing valid 4XX and 5XX). That being said why not
> just have the capability to disable this information in the current error
> valve? This way we are not requiring users to override there
> serverinfo.properties or create some customer error valve they will have to
> maintain. Thoughts?
>
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
>
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
>
>
> Thanks,
> Nick Bunn
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org