Thanks, Perhaps it's coming from Railo then. I'll investigate down that path.
On Fri, Jan 10, 2014 at 3:56 PM, Mark Eggers <its_toas...@yahoo.com> wrote: > On 1/10/2014 3:28 PM, August Kleimo wrote: > >> I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server >> is revealing the path to the document web root in an "exception-message" >> header when a missing page is requested. >> >> Does anyone know of way to get rid of this header from the response? >> >> Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header >> is coming from Tomcat. >> >> $ curl -I http://mydomain.com/this-page-does-not-exist.html >> >> HTTP/1.1 404 Not Found >> Date: Fri, 10 Jan 2014 23:23:22 GMT >> Server: Apache-Coyote/1.1 >> exception-message: Page >> /this-page-does-not-exist.html [/var/www/html/this-page-does- >> not-exist.html] >> not found >> Content-Type: text/html;charset=UTF-8 >> Content-Length: 44 >> Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun, >> 10-Jan-2044 07:14:52 GMT;HTTPOnly >> Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 >> GMT;HTTPOnly >> Connection: close >> >> From Tomcat 7.0.42 / APR Native on Fedora 20 with jre 1.7.0_45: > > curl -I http://localhost:8080/this-does-not-exist.html > HTTP/1.1 404 Not Found > Server: Apache-Coyote/1.1 > Content-Type: text/html;charset=utf-8 > Content-Length: 999 > Date: Fri, 10 Jan 2014 23:46:44 GMT > > A quick grep of the Tomcat 7 trunk code does not reveal the string > 'exception-message' anywhere. > > I didn't see anything in the change log concerning this, either. > > . . . . just my (waiting for testing to be done) two cents > /mde/ > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
