The BadMessageException that occurs during HTTP parsing (before there is a Request object) is handled by ErrorHandler.badMessageError()
See https://github.com/eclipse/jetty.project/blob/jetty-11.0.15/jetty-server/src/main/java/org/eclipse/jetty/server/handler/ErrorHandler.java#L527 That sets the status, and if the status code supports a response body, then it outputs a single line of text that is ... "<h1>Bad Message " + status + "</h1><pre>reason: " + reason + "</pre>" (if the status code doesn't support a body, then it's left empty) There's no exception or anything else Jetty specific that the response produces in this situation. Joakim Erdfelt / joa...@webtide.com On Mon, Aug 7, 2023 at 9:50 AM Silvio Bierman via jetty-users < jetty-users@eclipse.org> wrote: > Hello Simone, > > Thank you for the reply. We do not want to change the compliance, the > error flagging is correct and desired. It is just that some potential > user doing a pen-test on our system is objecting to the messages being > generated. The SNI message contains "Caused by: > org.eclipse.jetty.http.BadMessageException" which is information (Jetty) > we are not allowed to disclose for security reasons. In general the want > the ability to tweak all error messages generated by our application. We > tried to offer that through the custom handler. > > There is a Server#setErrorHandler call and I would have expected that > error handler to be used for such low-level errors. But now I understand > that this is not the case I was hoping for some other way to customize > these messages. > > Is there anything else I could do to work around this? > > Thnaks in advance, > > Cheers, > > Silvio > > > On 07-08-2023 16:32, Simone Bordet wrote: > > Hi, > > > > On Mon, Aug 7, 2023 at 12:16 PM Silvio Bierman via jetty-users > > <jetty-users@eclipse.org> wrote: > >> Hi, > >> > >> I run embedded Jetty 11.0.13. I have a single servlet instance and call > ServletContextHandler#setErrorHandler(customHandler) during initialization. > But whenever an invalid URL (like one containing empty segments) the handle > method of the custom errorhandler is not called. Instead the message > >> > >> Bad Message 400 > >> > >> reason: Ambiguous URI empty segment > >> > >> is generated. Similarly requests with a bad SNI seem to generate a page > that does not go through the custom handler. > >> > >> What am I doing wrong? How can I catch these and generate my own error > pages? > > Some errors happen very early in the request parsing, so when they > > happen, there is no request, no headers, etc. so we cannot dispatch a > > "request" to a handler (there is no request). > > These are typically requests that are so bad that are typically > > attacks, so you don't want to generate more than a concise 400 > > response from the server, as if the request never arrived. > > > > For the particular error "Ambiguous URI empty segment" you can > > configure the HTTP compliance so that the ambiguity is tolerated, and > > the request handled as a normal request. > > See > https://eclipse.dev/jetty/documentation/jetty-11/programming-guide/index.html#pg-server-compliance-http > . > > > > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
