Chris, Done (Bug 56383 <https://issues.apache.org/bugzilla/show_bug.cgi?id=56383>). I didn't know if we needed to talk about it first since it was a enhancement. On another note do i need to make another bug for Tomcat 8 or if this one gets excepted it will be ported over? What about documentation? Does a patch for the site need to be included in the bug report as well?
Thanks, Nick Bunn On Thu, Apr 10, 2014 at 2:17 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > Nick, > > Please file a Bugzilla bug and attach your patch to it. > > -chris > > On 4/9/14, 10:36 AM, Nick Bunn wrote: > > Good Day, > > As i'm sure you are all aware when the default error valve returns its > > report it publishes the tomcat version and some other troubleshooting > > data. This of course breaks one of my securities teams rules and also is > > published as a item that needs to be remediated when hardening > > tomcat(OWASP - goo.gl/Zr9xso <http://goo.gl/Zr9xso> ). When using the > > OWASP solution of replacing the serverInfo.properties file it can and > > will break tools/code that uses that information(in my case our > > deployment agent). The other two solutions are to create our own valve > > and just change it to the default error valve or override the status > > code at the HTTPD server(which broke our JSON and SOAP requests that > > were providing valid 4XX and 5XX). That being said why not just have the > > capability to disable this information in the current error valve? This > > way we are not requiring users to override there serverinfo.properties > > or create some customer error valve they will have to maintain. Thoughts? > > > > Attached is the a simple patch to version 7.0.x. Can easily be ported to > > 8.0.x as not much as changed. You would then just add the below to your > > server.xml > > > > <Valve className="org.apache.catalina.valves.ErrorReportValve" > > showReport="false" showServerInfo="false" /> > > > > > > Thanks, > > Nick Bunn > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > -- Thanks, Nick Bunn
