raboof opened a new issue, #15051: URL: https://github.com/apache/druid/issues/15051
Druid currently has the property `druid.server.http.showDetailedJettyErrors` [1] which when set to false, will remove the fields `cause` and `servlet` from any error response created by the Jetty layer (this property is currently set to true by default). However, this property currently does not modify, sanitize, nor hide the other fields in the Jetty error response (namely `message`, `url`, and `status). It might make sense to sanitize all other fields (`message`, `url`, and `status`) so that user provided content does not get added. While this content is properly escaped, meaning there is no risk of XSS-style problems, in paranoid cases they could in theory still lead to information disclosure or other confusion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
