Created attachment 31507 [details] Patch for ErrorReportValve When the default error valve returns its report it publishes the tomcat version and some other troubleshooting data. This of course breaks security standards at some companies and also is published as a item that needs to be remediated when hardening tomcat(OWASP - goo.gl/Zr9xso ). When using the OWASP solution of replacing the serverInfo.properties file it can and will break tools/code that uses that information. Attached is the proposed enhancement to be able switch options to show minimal information back. By adding the below will only return a html page with only the status. No CSS or title <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> Currently, default is true for both so if users still want to see the current report nothing will have to change in there server.xml
Comment on attachment 31507 [details] Patch for ErrorReportValve 1. Add getter methods? 2. Expose new attributes via JMX? (Update mbeans-descriptors.xml file in the same package) 3. Documentation? (Update webapps/docs/config/valve.xml. A bit more work than usually, because ErrorReporValve is not documented there at all)
Created attachment 31510 [details] Patch for ErrorReportValve_02 Added *Getter methods *Exposed new attributes via JMX? *Updated Documentation
Created attachment 31529 [details] Patch for ErrorReportValve_03 Changed the variables to protected from private
Do i need to provide a patch for tomcat 6 and 8?
Hi, I see that you are removing the CSS when showReport is false. Why is that? When showServerInfo is false you are removing the whole footer. Why is that? You can remove only the text so that the page stays with the same look and feel. Regards Violeta
My first patch did actually keep the css. However, after talking more with my team at work and looking at what the TomEE team has done(doesn't have css as well), it was determined if i left it you would then know its tomcat so you would still have a possible security issue. I just want to note you have to set both settings to false to remove the css. if you just disable the version you will see the css for the report part.
Thanks for the report and the patch. This has been fixed in trunk for 8.0.6 and in 7.0.x for 7.0.54 onwards.
When both showServerInfo and showReport are false, the generated HTML will have no <title> element. If I remember the specs correctly a <title> is required. A good alternative will be sb.append(smClient.getString("errorReportValve.statusHeader", String.valueOf(statusCode), message)) // errorReportValve.statusHeader=HTTP Status {0} - {1}
(In reply to Konstantin Kolinko from comment #8) Fixed, will be in 8.0.6 and 7.0.54. I went with the standard title "Error report". When I tried repeating the header text in the title, it looked bad for 404 errors.
*** Bug 52751 has been marked as a duplicate of this bug. ***