Hi Naresh,
I do not believe it is possible which is why Ian was suggesting
improvements are always welcome.
Needless to say, security through obscurity is pretty poor security,
which is likely why this hasn't been done yet. Even as merely one layer
of security. If your security relies on an attacker not knowing your
database vendor and/or version, you have bigger problems than the
content of an error message. If your db version is anything other than
something very close to "latest-stable" then you are already likely open
to have known vulnerabilities, and there are only a tiny handful of real
database options.
Now, from a user-friendliness perspective, a more user-friendly error
than GeoServer's "here's a big wall of scary technical stuff that only
really means anything to a few dozen people in the world" would be
great, at least for the basic errors like "your SLD is borked". That
said, posting parts of said big wall to this list does frequently elicit
the help of such people... so... swings and roundabouts.
Cheers,
Jonathan
On 12/09/2018 09:36, Naresh N wrote:
Dear All,
Is it possible to display generice error messages by doing any
settings in Geoserver. If it is not possible , is there any way not
displaying/showing any kind of error messages to users.
Please let me know.
Thanks&Regards,
Naresh
On Tue, Sep 11, 2018 at 6:34 PM Ian Turton <[email protected]
<mailto:[email protected]>> wrote:
We're always happy to receive improvements.
Ian
On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing.
<[email protected]
<mailto:[email protected]>> wrote:
Hello Jukka,
the 'java.lang.NumberFormatException' is only one example for
error messages that expose system details. There might be a
lot of other information that will be shown to potential
attackers when detailed error messages are shown to the user,
f.e. database related errors showing the database vendor (and
indirectly also the database version).
So I also think that error messages should be more generic!
Regards
Daniel
*From:*Naresh N [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Friday, August 31, 2018 11:20 AM
*To:* [email protected]
<mailto:[email protected]>
*Cc:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [Geoserver-users] Disabling error response of
WMS/WFS to the Clients/users
Dear Jukka Rahkonent,,
Thanks a lot for response and explaining detail.
Best Regards,
Naresh.N
On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
If you use just non-supported outputformat
http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88
then the error is
<ServiceException code="InvalidFormat">
There is no support for creating maps in image/png88
format
Your error comes from non-numeric height parameter
http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8
gives similar error
<ServiceException>
java.lang.NumberFormatException: For input string:
"acu330"
By reading the WMS 1.3.0 standard such invalid WIDTH and
HEIGHT parameters are not really deald in it. What is
closest is in this:
“If the WMS server has declared that a Layer has fixed
width and height, as described in 7.2.4.7.5, then the
client shall specify exactly those WIDTH and HEIGHT values
in the GetMap request and the server may issue a service
exception otherwise.”
The message reveals that server is Java based which is
something that the end user does not need to know. It is
also telling that number format used in the request is not
correct and that’s useful information for the user.
Disabling the whole exception in not possible because it
is mandatory. So what is left is filtering the “java.lang”
away. I believe it could be done (I am not a developer)
but I believe that it would not be any huge improvement
for the security. If somebody proves that I am wrong I can
change my mind.
-Jukka Rahkonen-
*Lähettäjä:*Naresh N [mailto:[email protected]
<mailto:[email protected]>]
*Lähetetty:* 30. elokuuta 2018 9:52
*Vastaanottaja:* Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>>
*Aihe:* Re: [Geoserver-users] Disabling error response of
WMS/WFS to the Clients/users
Dear Dear Jukka Rahkonent,
Please find the below request
http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo
rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode
:kds_name&width=200
The above request is generated by Web Application Security
tool, and is is listed as security alert as it is showing
the error message as java.lang.Number Format Exception.
Recommendation is to disable the error message. Kindly
help me to resolve this.
Thanks&Regards,
Naresh
On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
Please show the whole request with the wrong &FORMAT=
parameter.
-Jukka Rahkonen-
------------------------------------------------------------------------
*Lähettäjä: *Naresh N <mailto:[email protected]>
*Lähetetty: *30.8.2018 7:22
*Vastaanottaja: *Rahkonen Jukka (MML)
<mailto:[email protected]>
*Aihe: *Re: [Geoserver-users] Disabling error response
of WMS/WFS to the Clients/users
Dear Jukka Rahkonent,
Thanks for the response. The error message '
java.lang.Number FormatException' belongs to
InvaildFormat. Instead of showing service exception
i.,e java.lang.Number Format Exception, how to display
InvalidFormat message to user. Although this erros is
not displaying any sensitive information, as per our
security alerts measure, we want disable the error
messages. Kindly let me know how to do.
Thanks&Regards,
Naresh
On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
I suppose that you mean the contents "
java.lang.NumberFormatException: For input
string:". Exceptions are compulsory by the WMS
standard. The following codes are reserved for
special meanings.
InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported
The error that triggers your error does not quite
suit with these predefined meanings and therefore
the error code must be something else. The code
that you get now is
"java.lang.NumberFormatException". At least it is
somewhat informative but would you rather see some
other text as an error message?
Client can also ask exceptions in another format
with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but
the default XML format is still mandatory and it
can't be turned off.
-Jukka Rahkonen-
-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:[email protected]
<mailto:[email protected]>]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja:
[email protected]
<mailto:[email protected]>
Aihe: [Geoserver-users] Disabling error response
of WMS/WFS to the Clients/users
Hello ALL,
Please see the following error message received on
wrong values of params of WMS reqeust
<ServiceExceptionReport
xmlns="http://www.opengis.net/ogc";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
version="1.3.0"
xsi:schemaLocation="http://www.opengis.net/ogc
http://bhuvan-suvidha.nrsc.gov.in/geoserver/schemas/wms/1.3.0/exceptions_1_3_0.xsd";>
<ServiceException>
java.lang.NumberFormatException: For input string:
"" For input string: ""
</ServiceException>
</ServiceExceptionReport>
I want to disable the error message, it should not
be displayed to user
*How to disable errors displaying messages in
Geoserver. *
Please help solving my issue
Thanks&Regards,
Naresh
--
Sent from:
http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two
resources before posting to this list:
- Earning your support instead of buying it, but
Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an
improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see
this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Ian Turton
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
