https://issues.apache.org/bugzilla/show_bug.cgi?id=56383
Bug ID: 56383
Summary: Securing ErrorReportValve
Product: Tomcat 7
Version: trunk
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: thrain...@gmail.com
Created attachment 31507
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31507&action=edit
Patch for ErrorReportValve
When the default error valve returns its report it publishes the tomcat version
and some other troubleshooting data. This of course breaks security standards
at some companies and also is published as a item that needs to be remediated
when hardening tomcat(OWASP - goo.gl/Zr9xso ). When using the OWASP solution of
replacing the serverInfo.properties file it can and will break tools/code that
uses that information.
Attached is the proposed enhancement to be able switch options to show minimal
information back.
By adding the below will only return a html page with only the status. No CSS
or title
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
Currently, default is true for both so if users still want to see the current
report nothing will have to change in there server.xml
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
