We're always happy to receive improvements. Ian
On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing. < daniel.calli...@stadt-salzburg.at> wrote: > Hello Jukka, > > > > the 'java.lang.NumberFormatException' is only one example for error > messages that expose system details. There might be a lot of other > information that will be shown to potential attackers when detailed error > messages are shown to the user, f.e. database related errors showing the > database vendor (and indirectly also the database version). > > > > So I also think that error messages should be more generic! > > > > Regards > > Daniel > > > > > > *From:* Naresh N [mailto:naresh...@gmail.com] > *Sent:* Friday, August 31, 2018 11:20 AM > *To:* jukka.rahko...@maanmittauslaitos.fi > *Cc:* Geoserver-users@lists.sourceforge.net > *Subject:* Re: [Geoserver-users] Disabling error response of WMS/WFS to > the Clients/users > > > > Dear Jukka Rahkonent,, > > > > Thanks a lot for response and explaining detail. > > > > Best Regards, > > Naresh.N > > > > On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) < > jukka.rahko...@maanmittauslaitos.fi> wrote: > > Hi, > > > > If you use just non-supported outputformat > > > http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88 > > > > then the error is > > <ServiceException code="InvalidFormat"> > > There is no support for creating maps in image/png88 format > > > > Your error comes from non-numeric height parameter > > > http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8 > > gives similar error > <ServiceException> > > java.lang.NumberFormatException: For input string: "acu330" > > > > By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters > are not really deald in it. What is closest is in this: > “If the WMS server has declared that a Layer has fixed width and height, > as described in 7.2.4.7.5, then the client shall specify exactly those > WIDTH and HEIGHT values in the GetMap request and the server may issue a > service exception otherwise.” > > > > The message reveals that server is Java based which is something that the > end user does not need to know. It is also telling that number format used > in the request is not correct and that’s useful information for the user. > Disabling the whole exception in not possible because it is mandatory. So > what is left is filtering the “java.lang” away. I believe it could be done > (I am not a developer) but I believe that it would not be any huge > improvement for the security. If somebody proves that I am wrong I can > change my mind. > > > > -Jukka Rahkonen- > > > > > > > > *Lähettäjä:* Naresh N [mailto:naresh...@gmail.com] > *Lähetetty:* 30. elokuuta 2018 9:52 > *Vastaanottaja:* Rahkonen Jukka (MML) <jukka.rahko...@maanmittauslaitos.fi > > > *Aihe:* Re: [Geoserver-users] Disabling error response of WMS/WFS to the > Clients/users > > > > Dear Dear Jukka Rahkonent, > > > > Please find the below request > > > http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo > > > rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode > > :kds_name&width=200 > > > > The above request is generated by Web Application Security tool, and is is > listed as security alert as it is showing the error message as > java.lang.Number Format Exception. Recommendation is to disable the error > message. Kindly help me to resolve this. > > > > Thanks&Regards, > > Naresh > > > > On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) < > jukka.rahko...@maanmittauslaitos.fi> wrote: > > Hi, > > Please show the whole request with the wrong &FORMAT= parameter. > > -Jukka Rahkonen- > ------------------------------ > > *Lähettäjä: *Naresh N <naresh...@gmail.com> > *Lähetetty: *30.8.2018 7:22 > *Vastaanottaja: *Rahkonen Jukka (MML) > <jukka.rahko...@maanmittauslaitos.fi> > *Aihe: *Re: [Geoserver-users] Disabling error response of WMS/WFS to the > Clients/users > > Dear Jukka Rahkonent, > > > > Thanks for the response. The error message ' java.lang.Number > FormatException' belongs to InvaildFormat. Instead of showing service > exception i.,e java.lang.Number Format Exception, how to display > InvalidFormat message to user. Although this erros is not displaying any > sensitive information, as per our security alerts measure, we want disable > the error messages. Kindly let me know how to do. > > > > Thanks&Regards, > > Naresh > > > > On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) < > jukka.rahko...@maanmittauslaitos.fi> wrote: > > Hi, > > I suppose that you mean the contents " java.lang.NumberFormatException: > For input string:". Exceptions are compulsory by the WMS standard. The > following codes are reserved for special meanings. > > InvalidFormat > InvalidCRS > LayerNotDefined > StyleNotDefined > LayerNotQueryable > InvalidPoint > CurrentUpdateSequence > InvalidUpdateSequence > MissingDimensionValue > InvalidDimensionValue > OperationNotSupported > > The error that triggers your error does not quite suit with these > predefined meanings and therefore the error code must be something else. > The code that you get now is "java.lang.NumberFormatException". At least it > is somewhat informative but would you rather see some other text as an > error message? > > Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE > of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it > can't be turned off. > > -Jukka Rahkonen- > > -----Alkuperäinen viesti----- > Lähettäjä: naresh [mailto:naresh...@gmail.com] > Lähetetty: 29. elokuuta 2018 16:33 > Vastaanottaja: geoserver-users@lists.sourceforge.net > Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the > Clients/users > > Hello ALL, > > Please see the following error message received on wrong values of params > of WMS reqeust > > <ServiceExceptionReport xmlns="http://www.opengis.net/ogc"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; version="1.3.0" > xsi:schemaLocation="http://www.opengis.net/ogc > > http://bhuvan-suvidha.nrsc.gov.in/geoserver/schemas/wms/1.3.0/exceptions_1_3_0.xsd > "> > <ServiceException> > java.lang.NumberFormatException: For input string: "" For input string: "" > </ServiceException> > </ServiceExceptionReport> > > I want to disable the error message, it should not be displayed to user > > *How to disable errors displaying messages in Geoserver. * > > Please help solving my issue > > Thanks&Regards, > Naresh > > > > > -- > Sent from: > http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most engaging > tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Ian Turton
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
