[
https://issues.apache.org/jira/browse/NIFI-7962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17235556#comment-17235556
]
David Handermann commented on NIFI-7962:
----------------------------------------
Is this still a problem when the *nifi.web.should.send.server.version* property
is set to false? The Jetty HttpConfiguration.writePoweredBy method appears to
honor the send server version property.
> NiFi should not respond with HTTP 500 errors for HTTP TRACK request
> -------------------------------------------------------------------
>
> Key: NIFI-7962
> URL: https://issues.apache.org/jira/browse/NIFI-7962
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework
> Affects Versions: 1.12.1
> Reporter: Andy LoPresto
> Priority: Trivial
> Labels: http, jetty, security
>
> The HTTP {{TRACK}} method was not specified in RFC 2068 [1] for HTTP 1.1 but
> is now available on some clients. NiFi currently responds to these requests
> with a 500 Internal Server Error page which reveals the version of the
> servlet API being used but does not contain any sensitive information. As
> NiFi is an open source project, the servlet API version would already be
> readily available to an attacker.
> The error page should be generic to obscure the servlet API version.
> [1] https://tools.ietf.org/html/rfc2068
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
