Hi Jukka,
I think this is highlighting that there are different kinds of error
messages, and I suspect (just guessing here) that the way GeoServer
handles them is that it simply does not differentiate - they probably
mostly get caught in the same way/place.
Server side errors (which can be walls of technical text and stuffed
away in the logs - they're for the techy server admin), and the
admin-user errors. Currently GeoServer doesn't really differentiate
which is why I took a gentle(!) poke at the user-friendliness component
of the current admin-user errors, as such folks aren't necessarily
techy. Unless something has changed since last I looked, the
stack-traces you get for something like an SLD error are ...
intimidating to a less-technical user. There are also the
public-end-user errors (didn't include the "Request=" parameter for
instance), but those are typically defined as OGC exceptions and usually
get back a suitable (if XML-verbose) response.
But it's all pie-in-the-sky thinking unless someone contributes a patch
(or money for). So...
Cheers,
Jonathan
On 18/09/2018 18:06, Rahkonen Jukka (MML) wrote:
Hi,
But users can’t check the server log and if they could it would
probably be higher security risk. Error messages exist for helping the
users to understand what they did wrong. Disabling error messages
would leave them all alone. If it feels reasonable in your environment
I guess it would not be very difficult to program a proxy the rips the
error messages out or rewrites them to some neutral message.
-Jukka Rahkonen-
*Lähettäjä:*Jason Newmoyer [mailto:[email protected]]
*Lähetetty:* 18. syyskuuta 2018 18:29
*Vastaanottaja:* [email protected]
*Kopio:* GeoServer Mailing List List
<[email protected]>
*Aihe:* Re: [Geoserver-users] Disabling error response of WMS/WFS to
the Clients/users
I think a "suppress error messages" mode would be a nice-to-have
feature. It would certainly make our customers happy to see those
findings disappear from scan reports.
Also, the full error messages should pretty much always be available
in the server log. Displaying a generic error and saying "please check
the server log" doesn't seem unreasonable.
Jason
Jason Newmoyer
Newmoyer Geospatial Solutions
843.606.0424
[email protected] <mailto:[email protected]>
On Mon, Sep 17, 2018 at 3:31 PM, Jonathan Moules
<[email protected] <mailto:[email protected]>>
wrote:
Hi Naresh,
I do not believe it is possible which is why Ian was suggesting
improvements are always welcome.
Needless to say, security through obscurity is pretty poor
security, which is likely why this hasn't been done yet. Even as
merely one layer of security. If your security relies on an
attacker not knowing your database vendor and/or version, you have
bigger problems than the content of an error message. If your db
version is anything other than something very close to
"latest-stable" then you are already likely open to have known
vulnerabilities, and there are only a tiny handful of real
database options.
Now, from a user-friendliness perspective, a more user-friendly
error than GeoServer's "here's a big wall of scary technical stuff
that only really means anything to a few dozen people in the
world" would be great, at least for the basic errors like "your
SLD is borked". That said, posting parts of said big wall to this
list does frequently elicit the help of such people... so...
swings and roundabouts.
Cheers,
Jonathan
On 12/09/2018 09:36, Naresh N wrote:
Dear All,
Is it possible to display generice error messages by doing any
settings in Geoserver. If it is not possible , is there any
way not displaying/showing any kind of error messages to users.
Please let me know.
Thanks&Regards,
Naresh
On Tue, Sep 11, 2018 at 6:34 PM Ian Turton <[email protected]
<mailto:[email protected]>> wrote:
We're always happy to receive improvements.
Ian
On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing.
<[email protected]
<mailto:[email protected]>> wrote:
Hello Jukka,
the 'java.lang.NumberFormatException' is only one
example for error messages that expose system details.
There might be a lot of other information that will be
shown to potential attackers when detailed error
messages are shown to the user, f.e. database related
errors showing the database vendor (and indirectly
also the database version).
So I also think that error messages should be more
generic!
Regards
Daniel
*From:*Naresh N [mailto:[email protected]
<mailto:[email protected]>]
*Sent:* Friday, August 31, 2018 11:20 AM
*To:* [email protected]
<mailto:[email protected]>
*Cc:* [email protected]
<mailto:[email protected]>
*Subject:* Re: [Geoserver-users] Disabling error
response of WMS/WFS to the Clients/users
Dear Jukka Rahkonent,,
Thanks a lot for response and explaining detail.
Best Regards,
Naresh.N
On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>> wrote:
Hi,
If you use just non-supported outputformat
http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88
then the error is
<ServiceException code="InvalidFormat">
There is no support for creating maps in
image/png88 format
Your error comes from non-numeric height parameter
http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8
gives similar error
<ServiceException>
java.lang.NumberFormatException: For input string:
"acu330"
By reading the WMS 1.3.0 standard such invalid
WIDTH and HEIGHT parameters are not really deald
in it. What is closest is in this:
“If the WMS server has declared that a Layer has
fixed width and height, as described in 7.2.4.7.5,
then the client shall specify exactly those WIDTH
and HEIGHT values in the GetMap request and the
server may issue a service exception otherwise.”
The message reveals that server is Java based
which is something that the end user does not need
to know. It is also telling that number format
used in the request is not correct and that’s
useful information for the user. Disabling the
whole exception in not possible because it is
mandatory. So what is left is filtering the
“java.lang” away. I believe it could be done (I am
not a developer) but I believe that it would not
be any huge improvement for the security. If
somebody proves that I am wrong I can change my mind.
-Jukka Rahkonen-
*Lähettäjä:*Naresh N [mailto:[email protected]
<mailto:[email protected]>]
*Lähetetty:* 30. elokuuta 2018 9:52
*Vastaanottaja:* Rahkonen Jukka (MML)
<[email protected]
<mailto:[email protected]>>
*Aihe:* Re: [Geoserver-users] Disabling error
response of WMS/WFS to the Clients/users
Dear Dear Jukka Rahkonent,
Please find the below request
http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo
rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode
:kds_name&width=200
The above request is generated by Web Application
Security tool, and is is listed as security alert
as it is showing the error message as
java.lang.Number Format Exception. Recommendation
is to disable the error message. Kindly help me to
resolve this.
Thanks&Regards,
Naresh
On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka
(MML) <[email protected]
<mailto:[email protected]>> wrote:
Hi,
Please show the whole request with the wrong
&FORMAT= parameter.
-Jukka Rahkonen-
------------------------------------------------------------------------
*Lähettäjä: *Naresh N <mailto:[email protected]>
*Lähetetty: *30.8.2018 7:22
*Vastaanottaja: *Rahkonen Jukka (MML)
<mailto:[email protected]>
*Aihe: *Re: [Geoserver-users] Disabling error
response of WMS/WFS to the Clients/users
Dear Jukka Rahkonent,
Thanks for the response. The error message '
java.lang.Number FormatException' belongs to
InvaildFormat. Instead of showing service
exception i.,e java.lang.Number Format
Exception, how to display InvalidFormat
message to user. Although this erros is not
displaying any sensitive information, as per
our security alerts measure, we want disable
the error messages. Kindly let me know how to do.
Thanks&Regards,
Naresh
On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka
(MML) <[email protected]
<mailto:[email protected]>>
wrote:
Hi,
I suppose that you mean the contents "
java.lang.NumberFormatException: For input
string:". Exceptions are compulsory by the
WMS standard. The following codes are
reserved for special meanings.
InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported
The error that triggers your error does
not quite suit with these predefined
meanings and therefore the error code must
be something else. The code that you get
now is "java.lang.NumberFormatException".
At least it is somewhat informative but
would you rather see some other text as an
error message?
Client can also ask exceptions in another
format with &EXCEPTIONS=INIMAGE of
&EXCEPTIONS=BLANK, but the default XML
format is still mandatory and it can't be
turned off.
-Jukka Rahkonen-
-----Alkuperäinen viesti-----
Lähettäjä: naresh
[mailto:[email protected]
<mailto:[email protected]>]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja:
[email protected]
<mailto:[email protected]>
Aihe: [Geoserver-users] Disabling error
response of WMS/WFS to the Clients/users
Hello ALL,
Please see the following error message
received on wrong values of params of WMS
reqeust
<ServiceExceptionReport
xmlns="http://www.opengis.net/ogc";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
version="1.3.0"
xsi:schemaLocation="http://www.opengis.net/ogc
http://bhuvan-suvidha.nrsc.gov.in/geoserver/schemas/wms/1.3.0/exceptions_1_3_0.xsd";>
<ServiceException>
java.lang.NumberFormatException: For input
string: "" For input string: ""
</ServiceException>
</ServiceExceptionReport>
I want to disable the error message, it
should not be displayed to user
*How to disable errors displaying messages
in Geoserver. *
Please help solving my issue
Thanks&Regards,
Naresh
--
Sent from:
http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html
------------------------------------------------------------------------------
Check out the vibrant tech community on
one of the world's most engaging tech
sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
Geoserver-users mailing list
Please make sure you read the following
two resources before posting to this list:
- Earning your support instead of buying
it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting
guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an
improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources
before posting to this list:
- Earning your support instead of buying it, but Ian
Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement,
also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
Ian Turton
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources
before posting to this list:
- Earning your support instead of buying it, but Ian
Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also
see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to
this list:
- Earning your support instead of buying it, but Ian
Turton:http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting
guidelines:http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see
this:https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before
posting to this list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
<http://www.ianturton.com/talks/foss4g.html#/>
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
<http://geoserver.org/comm/userlist-guidelines.html>
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
