ErrorValve enhancement

Nick Bunn Wed, 09 Apr 2014 09:36:58 -0700

Good Day,
As i'm sure you are all aware when the default error valve returns its
report it publishes the tomcat version and some other troubleshooting data.
This of course breaks one of my securities teams rules and also is
published as a item that needs to be remediated when hardening tomcat(OWASP
- goo.gl/Zr9xso ). When using the OWASP solution of replacing the
serverInfo.properties file it can and will break tools/code that uses that
information(in my case our deployment agent). The other two solutions are
to create our own valve and just change it to the default error valve or
override the status code at the HTTPD server(which broke our JSON and SOAP
requests that were providing valid 4XX and 5XX). That being said why not
just have the capability to disable this information in the current error
valve? This way we are not requiring users to override there
serverinfo.properties or create some customer error valve they will have to
maintain. Thoughts?


Attached is the a simple patch to version 7.0.x. Can easily be ported to
8.0.x as not much as changed. You would then just add the below to your
server.xml

<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />

Thanks,
Nick Bunn

### Eclipse Workspace Patch 1.0
#P Tomcat_7.0.x
Index: java/org/apache/catalina/valves/ErrorReportValve.java
===================================================================
--- java/org/apache/catalina/valves/ErrorReportValve.java       (revision 
1583670)
+++ java/org/apache/catalina/valves/ErrorReportValve.java       (working copy)
@@ -62,7 +62,9 @@
     private static final String info =
         "org.apache.catalina.valves.ErrorReportValve/1.0";
 
-
+    private boolean showReport = true;
+    
+    private boolean showServerInfo = true;
     // ------------------------------------------------------------- Properties
 
 
@@ -196,11 +198,13 @@
                 report = smClient.getString("errorReportValve.noDescription");
             }
         }
-
+        
         StringBuilder sb = new StringBuilder();
 
         sb.append("<html><head><title>");
-        sb.append(ServerInfo.getServerInfo()).append(" - ");
+        if(showServerInfo) {
+               sb.append(ServerInfo.getServerInfo()).append(" - ");
+        }
         sb.append(smClient.getString("errorReportValve.errorReport"));
         sb.append("</title>");
         sb.append("<style><!--");
@@ -210,58 +214,62 @@
         sb.append("<h1>");
         sb.append(smClient.getString("errorReportValve.statusHeader",
                                "" + statusCode, message)).append("</h1>");
-        sb.append("<HR size=\"1\" noshade=\"noshade\">");
-        sb.append("<p><b>type</b> ");
-        if (throwable != null) {
-            sb.append(smClient.getString("errorReportValve.exceptionReport"));
-        } else {
-            sb.append(smClient.getString("errorReportValve.statusReport"));
+        if(showReport) {
+               sb.append("<HR size=\"1\" noshade=\"noshade\">");
+               sb.append("<p><b>type</b> ");
+               if (throwable != null) {
+                   
sb.append(smClient.getString("errorReportValve.exceptionReport"));
+               } else {
+                   
sb.append(smClient.getString("errorReportValve.statusReport"));
+               }
+               sb.append("</p>");
+               sb.append("<p><b>");
+               sb.append(smClient.getString("errorReportValve.message"));
+               sb.append("</b> <u>");
+               sb.append(message).append("</u></p>");
+               sb.append("<p><b>");
+               sb.append(smClient.getString("errorReportValve.description"));
+               sb.append("</b> <u>");
+               sb.append(report);
+               sb.append("</u></p>");
+       
+               if (throwable != null) {
+       
+                   String stackTrace = getPartialServletStackTrace(throwable);
+                   sb.append("<p><b>");
+                   sb.append(smClient.getString("errorReportValve.exception"));
+                   sb.append("</b> <pre>");
+                   sb.append(RequestUtil.filter(stackTrace));
+                   sb.append("</pre></p>");
+       
+                   int loops = 0;
+                   Throwable rootCause = throwable.getCause();
+                   while (rootCause != null && (loops < 10)) {
+                       stackTrace = getPartialServletStackTrace(rootCause);
+                       sb.append("<p><b>");
+                       
sb.append(smClient.getString("errorReportValve.rootCause"));
+                       sb.append("</b> <pre>");
+                       sb.append(RequestUtil.filter(stackTrace));
+                       sb.append("</pre></p>");
+                       // In case root cause is somehow heavily nested
+                       rootCause = rootCause.getCause();
+                       loops++;
+                   }
+       
+                   sb.append("<p><b>");
+                   sb.append(smClient.getString("errorReportValve.note"));
+                   sb.append("</b> <u>");
+                   
sb.append(smClient.getString("errorReportValve.rootCauseInLogs",
+                                       
showServerInfo?ServerInfo.getServerInfo():""));
+                   sb.append("</u></p>");
+       
+               }
         }
-        sb.append("</p>");
-        sb.append("<p><b>");
-        sb.append(smClient.getString("errorReportValve.message"));
-        sb.append("</b> <u>");
-        sb.append(message).append("</u></p>");
-        sb.append("<p><b>");
-        sb.append(smClient.getString("errorReportValve.description"));
-        sb.append("</b> <u>");
-        sb.append(report);
-        sb.append("</u></p>");
-
-        if (throwable != null) {
-
-            String stackTrace = getPartialServletStackTrace(throwable);
-            sb.append("<p><b>");
-            sb.append(smClient.getString("errorReportValve.exception"));
-            sb.append("</b> <pre>");
-            sb.append(RequestUtil.filter(stackTrace));
-            sb.append("</pre></p>");
-
-            int loops = 0;
-            Throwable rootCause = throwable.getCause();
-            while (rootCause != null && (loops < 10)) {
-                stackTrace = getPartialServletStackTrace(rootCause);
-                sb.append("<p><b>");
-                sb.append(smClient.getString("errorReportValve.rootCause"));
-                sb.append("</b> <pre>");
-                sb.append(RequestUtil.filter(stackTrace));
-                sb.append("</pre></p>");
-                // In case root cause is somehow heavily nested
-                rootCause = rootCause.getCause();
-                loops++;
-            }
-
-            sb.append("<p><b>");
-            sb.append(smClient.getString("errorReportValve.note"));
-            sb.append("</b> <u>");
-            sb.append(smClient.getString("errorReportValve.rootCauseInLogs",
-                                   ServerInfo.getServerInfo()));
-            sb.append("</u></p>");
-
+        
+        if(showServerInfo) {
+               sb.append("<HR size=\"1\" noshade=\"noshade\">");
+               
sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
         }
-
-        sb.append("<HR size=\"1\" noshade=\"noshade\">");
-        sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
         sb.append("</body></html>");
 
         try {
@@ -314,4 +322,22 @@
         }
         return trace.toString();
     }
+
+    /**
+     * Enables/Disables full error reports
+     *
+     * @param showReport
+     */
+    public void setShowReport(boolean showReport) {
+       this.showReport = showReport;
+    }
+    
+    /**
+     * Enables/Disables server info on error pages
+     *
+     * @param showServerInfo
+     */
+    public void setShowServerInfo(boolean showServerInfo) {
+        this.showServerInfo = showServerInfo;
+    }
 }

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

ErrorValve enhancement

Reply via email to