[jira] [Commented] (SLING-4049) Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
[ https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14172086#comment-14172086 ] Dominique Jäggi commented on SLING-4049: {quote}The error handling system is configurable and I would think that for a production setup custom errorhandler scripts should be created which don't expose stacktraces, request progress trackers, and system version.{quote} i don't think a production customer would understand the need to deploy custom code simply to turn off insecure stack traces / request progress. this sounds like wanting to evade the (rather minimal) effort of making this configurable. Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress - Key: SLING-4049 URL: https://issues.apache.org/jira/browse/SLING-4049 Project: Sling Issue Type: Improvement Components: Servlets Reporter: Dominique Jäggi it should be configurable whether during error display (40x, 50x, etc) stacktraces or the request progress is displayed or not. for production systems it is undesirable to exhibit information that may allow an attacker to determine internal information such as used scripts, paths, classes, line numbers, etc. ideally this could be centrally configured, affecting both e.g. the JSP handlers (404.jsp) as well as any other facility outputting error conditions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4049) Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
[ https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14171198#comment-14171198 ] Felix Meschberger commented on SLING-4049: -- The error handling system is configurable and I would think that for a production setup custom errorhandler scripts should be created which don't expose stacktraces, request progress trackers, and system version. Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress - Key: SLING-4049 URL: https://issues.apache.org/jira/browse/SLING-4049 Project: Sling Issue Type: Improvement Components: Servlets Reporter: Dominique Jäggi it should be configurable whether during error display (40x, 50x, etc) stacktraces or the request progress is displayed or not. for production systems it is undesirable to exhibit information that may allow an attacker to determine internal information such as used scripts, paths, classes, line numbers, etc. ideally this could be centrally configured, affecting both e.g. the JSP handlers (404.jsp) as well as any other facility outputting error conditions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4049) Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
[ https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14171217#comment-14171217 ] Carsten Ziegeler commented on SLING-4049: - I think what we should at least do is ensure that always the error handler with the highest service ranking is used, right now it picks up the first one it gets- A production instance could then simply deploy an error handler with a higher ranking than the one registered by the servlet ensure and it's ensure that the production specific wins Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress - Key: SLING-4049 URL: https://issues.apache.org/jira/browse/SLING-4049 Project: Sling Issue Type: Improvement Components: Servlets Reporter: Dominique Jäggi it should be configurable whether during error display (40x, 50x, etc) stacktraces or the request progress is displayed or not. for production systems it is undesirable to exhibit information that may allow an attacker to determine internal information such as used scripts, paths, classes, line numbers, etc. ideally this could be centrally configured, affecting both e.g. the JSP handlers (404.jsp) as well as any other facility outputting error conditions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-4049) Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
[ https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14171279#comment-14171279 ] Felix Meschberger commented on SLING-4049: -- The Sling Servlet Resolver has a default error handler servlet registered for the virtual resource type {{sling/servlet/errorhandler/default}} registered at the end of the search path by virtue of setting {{sling.servlet.prefix=-1}}. Thus any error handler servlet with another path prefix, particularly ones not setting {{sling.servlet.prefix}} at all would overwrite this. For example a customer application could create a script (in whatever active language) or servlet at {{/apps/sling/servlet/default}} and be sure to be called unless there is some more specific error handler script or servlet. Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress - Key: SLING-4049 URL: https://issues.apache.org/jira/browse/SLING-4049 Project: Sling Issue Type: Improvement Components: Servlets Reporter: Dominique Jäggi it should be configurable whether during error display (40x, 50x, etc) stacktraces or the request progress is displayed or not. for production systems it is undesirable to exhibit information that may allow an attacker to determine internal information such as used scripts, paths, classes, line numbers, etc. ideally this could be centrally configured, affecting both e.g. the JSP handlers (404.jsp) as well as any other facility outputting error conditions. -- This message was sent by Atlassian JIRA (v6.3.4#6332)