tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: svn commit: r1348762 - in /tomcat/trunk: java/org/apache/catalina/valves/ErrorReportValve.java test/org/apache/catalina/valves/TestErrorReportValve.java
Date Mon, 11 Jun 2012 17:02:22 GMT
Mark,

On 6/11/12 5:24 AM, markt@apache.org wrote:
> Author: markt
> Date: Mon Jun 11 09:24:53 2012
> New Revision: 1348762
> 
> URL: http://svn.apache.org/viewvc?rev=1348762&view=rev
> Log:
> Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=53071
> Stepping through the code, light dawns as to what the bug report was getting at.
> Use the message from the Throwable for the error report if none was specified via sendError()

This might end up being a security problem, depending on what
information is in the exception message. Can we make this a non-default
option? Many sites (ours included) attempt to avoid any part of a stack
trace (even the message) leaking-out to users.

-chris


Mime
View raw message