On Fri, Jan 24, 2014 at 03:47:22PM -0600, Tim Donohue wrote:
> Hi Andrew,
>
> On 1/24/2014 2:46 PM, Andrew Reid wrote:
> > Huh. This is not working for me -- I have a testing installation
> >with the default Mirage theme, and I am adding the lines from
> >your comment directly in Mirage/sitemap.xmap, rather than
> >rebuilding the app -- I mention this because it might be
> >part of the issue.
> >
> > I may be using weird errors, too, my testing URL is
> >"<host>/dspace/xmlui/static/wrong.html", or
> >"<host>/dspace/xmlui/static/wrong.js" -- they give different
> >errors, the former gives a "ResourceNotound" with a big
> >long Cocoon back-trace, and the second one gives a
> >NullPointerException, with a very short Cocoon back-trace.
> >
> > Modifying Mirage/sitemap.xmap did not change this
> >behavior -- I double-checked that the additional handle-errors
> >map is *inside* the map:pipelines tag and *outside* any of the
> >other map:item tag-pairs.
> >
> > Are my errors too weird? Am I actually getting *two* errors
> >somehow? Vandalizing the top-level sitemap.xml
> >is starting to look like the near-term solution, but I'd be
> >willing to invest a bit more effort in a nicer answer.
>
> I'm probably going to need more info. It sounds like our two setups
> are different in some way....though admittedly, all of this work is
> extremely new (working on it *today*). So maybe I've overlooked
> something too.
>
> What does the URL to your DSpace homepage look like? Is it
> <host>/dspace/xmlui/?
Yes -- it happens both for my soon-to-deploy test system and
my mostly-clean DSpace 3.2 prototype. It's mod_jk from an Apache
front end to Tomcat in the back. There's a sym-link trick,
the actual app is behind a symlink with a "#" in it, which Tomcat
converts to a slash.
Long way to say that, yes, the base URL is <host>/dspace/xmlui.
The actual URL that our security folks' scanner picked up was
"<host>/dspace/xmlui/static/js/discovery/badfile123.js", which is
apparently some kind of likely penetration vector. The actual
error is, "An error has occurred", which is apparently an HTTP 500
response.
Without the "static" (for "<host>/dspace/xmlui/js/discovery/badfile123.js"),
I get a different error, it's a "Resource not found", again with the
stack-traces.
Since Friday, I have also subsequently heard that my security folks
are unhappy with the 500 response -- can you (or anyone) offer them
some assurances that this is benign? I noticed, while poking around,
that other public-facing DSpace installations do the same thing --
I won't mention any names, since it's at least possible it's some
kind of security issue.
The prototype system is the one where I have tried putting the
error-handling code in the webapps/xmlui/themes/Mirage/sitemap.xmap
file -- I see the same behavior both with and without this code.
After making changes to this file, I am restarting Tomcat, and
I am frequently clearing my browser cache, so hopefully I am
avoiding simple statefulness mistakes.
-- A.
> Also, what happens if you remove the /static/ subpath? (That
> actually *IS* a valid subpath in DSpace, and there's some "special
> logic" to deal with that subpath which could be causing issues
> here.)
Covered above, it converts the 500 to a 404, but does not
change the presentation of the errors.
>
> In any case, here's what works for me (on DSpace 4.0, but it should
> be the same for 3.2). In the example below "[dspace.dir]" represents
> the directory where DSpace is *installed*.
>
> 1. For me, Tomcat is loading the DSpace XMLUI from
> [dspace.dir]/webapps/xmlui/ (it's a completely fresh install of
> DSpace 4)
>
> 2. Create an "error.html" under
> [dspace.dir]/webapps/xmlui/themes/Mirage/ (making sure it's
> obviously readable to Tomcat)
>
> 3. Modify the "sitemap.xmap" under
> [dspace.dir]/webapps/xmlui/themes/Mirage/ For a simple test just
> add this:
>
> <map:sitemap>
>
> <!-- lots of settings -->
>
> <map:pipelines>
>
> <!-- lots of pipeline settings -->
>
>
> <!-- For a VERY simple test, just add the below four lines -->
> <!-- This will cause any errors to display the "error.html"
> file and throw an HTTP 404 response -->
>
> <map:handle-errors>
> <map:generate src="error.html"/>
> <map:serialize type="html" status-code="404"/>
> </map:handle-errors>
> </map:pipelines>
> </map:sitemap>
Tried this, still no change in the error behiavor, I am seeing
the output filtered through exception2html.
The actual Cocoon error may be informative, it seems to be
coming from the top-level sitemap.xmap (i.e. the xmlui one, not the
Mirage one), it says "failed to process reader", and has a complaint
line 605 and 606 of <host>/dspace/xmlui/sitemap.xmap.
Is this helpful?
-- A.
>
> 4. You may need to restart Tomcat (depending on your settings)
>
> 5. Finally, test some invalid URLs. For me, DSpace XMLUI is running
> directly at "http://localhost:8080";. So, all of these invalid URLs
> show me the "error.html" contents:
>
> http://localhost:8080/asdfasdf
> http://localhost:8080/not/a/valid/path
> http://localhost:8080/also/not/valid.html
> http://localhost:8080/handle/not/valid
> http://localhost:8080/asdfsdf.js
>
> But, I can still load valid DSpace URLs like:
>
> http://localhost:8080/ (DSpace homepage for me)
> http://localhost:8080/community-list (Community listing)
>
> I'm not sure if that helps at all. But, hopefully it gives you all
> the steps. Obviously I've simplified the <map:handle-errors>
> setting (from the more complete example in DS-1596).
I'm hugely grateful for your attention -- this is all pretty new
to me, but I'm a reasonably quick study, and I have a lot of pressure
to deploy.
-- A.
--
Dr. Andrew C. E. Reid
Physical Scientist, Computer Operations Administrator
Center for Theoretical and Computational Materials Science
National Institute of Standards and Technology, Mail Stop 8555
Gaithersburg MD 20899 USA
[email protected]
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
DSpace-tech mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/dspace-tech
List Etiquette: https://wiki.duraspace.org/display/DSPACE/Mailing+List+Etiquette
