Portal prints error stacktrace on the browser, disclosing technical information

Issue

Environment

  • Any Liferay DXP Tomcat bundle

Resolution

  • The root cause of the issue is that the default Tomcat configuration on server.xml has error reports enabled, divulging such information.
  • In order to disable error reports, you must add the following configuration to your $TOMCAT_HOME/conf/server.xml, under the <Host> XML section:
<Valve className="org.apache.catalina.valves.ErrorReportValve" 
showReport="false"
showServerInfo="false" />
  • An example of a complete server.xml with error reporting disabled is below:
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
    <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
    <Listener className="org.apache.catalina.security.SecurityListener" checkedOsUsers="root" minimumUmask="0007"/>
    <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off"/>
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

    <GlobalNamingResources/>

    <Service name="Catalina">
        <Connector
                acceptorThreadCount="2"
                bindOnInit="false"
                connectionTimeout="20000"
                enableLookups="false"
                maxHttpHeaderSize="65536"
                maxPostSize="4194304"
                maxThreads="200"
                minSpareThreads="50"
                port="8080"
                protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                server=""
                URIEncoding="UTF-8"
        />

        <Engine name="Catalina" defaultHost="localhost">
            <Host name="localhost" appBase="webapps"
                  unpackWARs="true" autoDeploy="true">

                <Valve className="org.apache.catalina.valves.RemoteIpValve"
                       remoteIpHeader="X-Forwarded-For"
                       protocolHeader="X-Forwarded-Proto"/>
					   
                <!-- BEGIN: REMOVE TOMCAT ERROR REPORTS -->
                <Valve className="org.apache.catalina.valves.ErrorReportValve" 
                       showReport="false" 
                       showServerInfo="false" />
                <!-- END: REMOVE TOMCAT ERROR REPORTS -->
				
            </Host>
        </Engine>
    </Service>
</Server>
  • On DXP Cloud you must deploy the modified server.xml to the desired environment by placing it in the folder $REPO/liferay/configs/$ENVIRONMENT/tomcat/conf/server.xml and triggering a deployment of the liferay service.

Additional Information

 

この記事は役に立ちましたか?
0人中0人がこの記事が役に立ったと言っています