tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From August Kleimo <aug...@kleimo.com>
Subject Re: “exception-message” header reveals path to document root in 404 response.
Date Sat, 11 Jan 2014 00:03:04 GMT
Thanks, Perhaps it's coming from Railo then.  I'll investigate down that
path.


On Fri, Jan 10, 2014 at 3:56 PM, Mark Eggers <its_toasted@yahoo.com> wrote:

> On 1/10/2014 3:28 PM, August Kleimo wrote:
>
>> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
>> is revealing the path to the document web root in an "exception-message"
>> header when a missing page is requested.
>>
>> Does anyone know of way to get rid of this header from the response?
>>
>> Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
>> is coming from Tomcat.
>>
>> $ curl -I http://mydomain.com/this-page-does-not-exist.html
>>
>> HTTP/1.1 404 Not Found
>> Date: Fri, 10 Jan 2014 23:23:22 GMT
>> Server: Apache-Coyote/1.1
>> exception-message: Page
>> /this-page-does-not-exist.html [/var/www/html/this-page-does-
>> not-exist.html]
>> not found
>> Content-Type: text/html;charset=UTF-8
>> Content-Length: 44
>> Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun,
>> 10-Jan-2044 07:14:52 GMT;HTTPOnly
>> Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52
>> GMT;HTTPOnly
>> Connection: close
>>
>>  From Tomcat 7.0.42 / APR Native on Fedora 20 with jre 1.7.0_45:
>
> curl -I http://localhost:8080/this-does-not-exist.html
> HTTP/1.1 404 Not Found
> Server: Apache-Coyote/1.1
> Content-Type: text/html;charset=utf-8
> Content-Length: 999
> Date: Fri, 10 Jan 2014 23:46:44 GMT
>
> A quick grep of the Tomcat 7 trunk code does not reveal the string
> 'exception-message' anywhere.
>
> I didn't see anything in the change log concerning this, either.
>
> . . . . just my (waiting for testing to be done) two cents
> /mde/
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message