tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: ErrorValve enhancement
Date Wed, 09 Apr 2014 17:36:50 GMT
Hi

for this kind of reason we included in tomee
http://svn.apache.org/repos/asf/tomee/tomee/trunk/tomee/tomee-catalina/src/main/java/org/apache/tomee/catalina/valve/MinimumErrorReportValve.java

would be great to get it in tomcat OOTB.

Romain Manni-Bucau
Twitter: @rmannibucau
Blog: http://rmannibucau.wordpress.com/
LinkedIn: http://fr.linkedin.com/in/rmannibucau
Github: https://github.com/rmannibucau



2014-04-09 18:36 GMT+02:00 Nick Bunn <thrain123@gmail.com>:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting data.
> This of course breaks one of my securities teams rules and also is published
> as a item that needs to be remediated when hardening tomcat(OWASP -
> goo.gl/Zr9xso ). When using the OWASP solution of replacing the
> serverInfo.properties file it can and will break tools/code that uses that
> information(in my case our deployment agent). The other two solutions are to
> create our own valve and just change it to the default error valve or
> override the status code at the HTTPD server(which broke our JSON and SOAP
> requests that were providing valid 4XX and 5XX). That being said why not
> just have the capability to disable this information in the current error
> valve? This way we are not requiring users to override there
> serverinfo.properties or create some customer error valve they will have to
> maintain. Thoughts?
>
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
>
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
>
>
> Thanks,
> Nick Bunn
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message