65598 – Security by default with Tomcat error pages

Bug 65598 - Security by default with Tomcat error pages

Summary: Security by default with Tomcat error pages

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Tomcat 8
Classification:	Unclassified
Component:	Catalina (show other bugs)
Version:	8.5.71
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	----
Assignee:	Tomcat Developers Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-09-27 16:38 UTC by Alexander Veit
Modified:	2021-09-27 16:51 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Veit 2021-09-27 16:38:59 UTC

The default error pages provide a detailed report and server version by default.

To prevent information disclosure and gathering this default behaviour should be changed to not to report this information.

This could probably be done by setting


public class ErrorReportValve extends ValveBase {

    private boolean showReport = false;

    private boolean showServerInfo = false;
}

Comment 1 Mark Thomas 2021-09-27 16:51:52 UTC

Discussion of this topic - if desired - belongs on the users list.