Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-55306

Confluence error pages should remove stack trace from being output to the UI


      NOTE: This suggestion is for Confluence Server.

      Problem Definition

      The Confluence error page typically displays "Oops - an error has occurred", it displays System error, the cause, then the stack trace that deals with that error. This is not desirable for all instances as it could be a security risk or provide unnecessary complexity for normal users.
      As noted in Open Web Application Security's Improper Error Handling suggestions:

      Improper handling of errors can introduce a variety of security problems for a web site. The most common problem is when detailed internal error messages such as stack traces, database dumps, and error codes are displayed to the user (hacker). These messages reveal implementation details that should never be revealed. Such details can provide hackers important clues on potential flaws in the site and such messages are also disturbing to normal users.

      Suggested Solution

      Have Confluence error pages have the possibility to have admins edit this page to not show the stack trace (or display a custom message) and just inform the user that an error has happened and that he/she need to grab assistance from the admin.


      Security Bug Fix Policy

            19cb521e4007 Ajay Sharma (Inactive)
            kcao@atlassian.com Kim My Cao (Inactive)
            52 Vote for this issue
            56 Start watching this issue