[
https://issues.apache.org/jira/browse/SOLR-14886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17739984#comment-17739984
]
Isabelle Giguere commented on SOLR-14886:
-----------------------------------------
[~cpoerschke]
I may have misunderstood your question : "would it be useful in all the cases
to hide or only in some?"
If you mean that maybe there should be a way to output the full stack trace for
admin requests, for example, but not for queries, then with regards to OWASP
mentioned earlier, stack traces should be hidden in all request responses.
The distinction to make is between dev environment or production environments.
Devs need stack traces (hideStackTrace=false). Production environments need a
way to avoid security gaps, for any request (hideStackTrace=true).
> Suppress stack trace in Query response.
> ---------------------------------------
>
> Key: SOLR-14886
> URL: https://issues.apache.org/jira/browse/SOLR-14886
> Project: Solr
> Issue Type: Improvement
> Affects Versions: 8.6.2
> Reporter: Vrinda Davda
> Priority: Minor
> Attachments: SOLR-14886.patch, SOLR-14886.patch
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently there is no way to suppress the stack trace in solr response when
> it throws an exception, like when a client sends a badly formed query string,
> or exception with status 500 It sends full stack trace in the response.
> I would propose a configuration for error messages so that the stack trace is
> not visible to avoid any sensitive information in the stack trace.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
