ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vladimir Ozerov <voze...@gridgain.com>
Subject Exception handling in thin client: should we pass stack traces to the client?
Date Tue, 19 Sep 2017 07:20:21 GMT

We had a discussion about how to propagate error information from cluster
nodes to the client. My opinion is that we should pass a kind of vendor
code plus optional error message, if vendor code is not very specific.

Alternative idea is to pass the whole stack trace as well. I agree that
this is very useful for debugging purposes, but on the other hand IMO it
imposes security risk. By sending invalid requests to the server user might
get sensitive information about server configuration, such as it's version,
version of the underlying database, frameworks etc.. This information may
help attacker to apply some version-specific attacks. This is precise
reason why default error pages of web servers with stack traces are always
replaces with some stubs.

This is why I think we should not include stack traces.

What do you think?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message