ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vladimir Ozerov <voze...@gridgain.com>
Subject Re: Exception handling in thin client: should we pass stack traces to the client?
Date Tue, 19 Sep 2017 07:46:57 GMT
Thanks, folks!

Excellent catch - we should not decide whether to allow it or not, but
rather make it configurable.

On Tue, Sep 19, 2017 at 10:43 AM, Alexey Goncharuk <
alexey.goncharuk@gmail.com> wrote:

> I think the protocol should allow both, and the behavior should be either
> configurable or enabled via a system property. Every web server known to me
> allows exposing this information for debugging purposes.
>
> 2017-09-19 10:20 GMT+03:00 Vladimir Ozerov <vozerov@gridgain.com>:
>
> > Igniters,
> >
> > We had a discussion about how to propagate error information from cluster
> > nodes to the client. My opinion is that we should pass a kind of vendor
> > code plus optional error message, if vendor code is not very specific.
> >
> > Alternative idea is to pass the whole stack trace as well. I agree that
> > this is very useful for debugging purposes, but on the other hand IMO it
> > imposes security risk. By sending invalid requests to the server user
> might
> > get sensitive information about server configuration, such as it's
> version,
> > version of the underlying database, frameworks etc.. This information may
> > help attacker to apply some version-specific attacks. This is precise
> > reason why default error pages of web servers with stack traces are
> always
> > replaces with some stubs.
> >
> > This is why I think we should not include stack traces.
> >
> > What do you think?
> >
> > Vladimir.
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message