Nick, Please file a Bugzilla bug and attach your patch to it.
-chris On 4/9/14, 10:36 AM, Nick Bunn wrote: > Good Day, > As i'm sure you are all aware when the default error valve returns its > report it publishes the tomcat version and some other troubleshooting > data. This of course breaks one of my securities teams rules and also is > published as a item that needs to be remediated when hardening > tomcat(OWASP - goo.gl/Zr9xso <http://goo.gl/Zr9xso> ). When using the > OWASP solution of replacing the serverInfo.properties file it can and > will break tools/code that uses that information(in my case our > deployment agent). The other two solutions are to create our own valve > and just change it to the default error valve or override the status > code at the HTTPD server(which broke our JSON and SOAP requests that > were providing valid 4XX and 5XX). That being said why not just have the > capability to disable this information in the current error valve? This > way we are not requiring users to override there serverinfo.properties > or create some customer error valve they will have to maintain. Thoughts? > > Attached is the a simple patch to version 7.0.x. Can easily be ported to > 8.0.x as not much as changed. You would then just add the below to your > server.xml > > <Valve className="org.apache.catalina.valves.ErrorReportValve" > showReport="false" showServerInfo="false" /> > > > Thanks, > Nick Bunn > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org >
signature.asc
Description: OpenPGP digital signature
