[
https://issues.apache.org/jira/browse/SLING-4049?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14171198#comment-14171198
]
Felix Meschberger commented on SLING-4049:
------------------------------------------
The error handling system is configurable and I would think that for a
production setup custom errorhandler scripts should be created which don't
expose stacktraces, request progress trackers, and system version.
> Errorhandling: Allow Configuration of Displaying Stacktraces/Request Progress
> -----------------------------------------------------------------------------
>
> Key: SLING-4049
> URL: https://issues.apache.org/jira/browse/SLING-4049
> Project: Sling
> Issue Type: Improvement
> Components: Servlets
> Reporter: Dominique Jäggi
>
> it should be configurable whether during error display (40x, 50x, etc)
> stacktraces or the request progress is displayed or not.
> for production systems it is undesirable to exhibit information that may
> allow an attacker to determine internal information such as used scripts,
> paths, classes, line numbers, etc.
> ideally this could be centrally configured, affecting both e.g. the JSP
> handlers (404.jsp) as well as any other facility outputting error conditions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
