Description
Take a look at sample XML response for an arbitrary review, when user tries to fetch data without any authentication.
In case of public servers and malicious users, I don't think that exposing stack trace makes sense when we have "access denied".
Now anonymous users know a lot of underlying stack (jetty, spring, jersey, etc.) and could theoretically use this knowledge to easier prepare an exploit.
<?xml version='1.0' encoding='UTF-8'?> <error> <code>NotPermitted</code> <message>You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12</message> <stacktrace>com.atlassian.crucible.spi.services.NotPermittedException: You do not have permission to View the review CR-33: com.cenqua.crucible.model.Review@12 at com.atlassian.crucible.spi.impl.DefaultReviewService.requireReviewPermission(DefaultReviewService.java:1240) at com.atlassian.crucible.spi.impl.DefaultReviewService.getReview(DefaultReviewService.java:359) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:362) at com.atlassian.crucible.spi.rpc.RestReviewService$10.doGet(RestReviewService.java:361) at com.atlassian.crucible.spi.rpc.ConditionalGet.doConditionalGet(ConditionalGet.java:46) at com.atlassian.crucible.spi.rpc.RestReviewService.getReview(RestReviewService.java:360) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at com.sun.jersey.impl.model.method.dispatch.EntityParamDispatchProvider$ResponseOutInvoker._dispatch(EntityParamDispatchProvider.java:156) at com.sun.jersey.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:85) at com.sun.jersey.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:123) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:71) at com.sun.jersey.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:111) at com.sun.jersey.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:63) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:722) at com.sun.jersey.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:692) at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:344) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1144) at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:83) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.crucible.filters.CrucibleFilter.doFilter(CrucibleFilter.java:140) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.TotalityFilter.doFilter(TotalityFilter.java:192) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81) at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:129) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.ProductInfoFilter.doFilter(ProductInfoFilter.java:32) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at com.cenqua.fisheye.web.filters.UpfrontFilter.doFilter(UpfrontFilter.java:39) at org.mortbay.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1136) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360) at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:726) at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405) at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:206) at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:505) at org.mortbay.jetty.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:829) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:514) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:211) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:380) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:395) at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:450) </stacktrace></error>
Attachments
Issue Links
- relates to
-
CRUC-4625 Wrong HTTP response codes leak information
- Closed