Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-73263

Tomcat should not disclose its own version to unauthenticated users

    XMLWordPrintable

Details

    Description

      Problem Definition

      When accessing URLs that aren't under the application context and are not defined in Tomcat, Tomcat returns a 404 along with its own version.

      Steps to reproduce problem

      • In a Jira instance with a context called jira for instance, browse http://<HOSTNAME>/non_existent_uri. Make sure you don't add the context to the URL. Otherwise, Jira will return the 404 page and not Tomcat.
      • Tomcat discloses its own version.

      Suggested Solution

      404 should be displayed but Tomcat shouldn't disclose its own version

      Workaround

      Alter the behavior of the error reporting by adding the following entry to your server.xml file:

      <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

      Make sure the valve is not added within the Jira context but rather at the higher hierarchy level. Example: 

             <Engine name="Catalina" defaultHost="localhost">
            <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">

                <Context path="j8201" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
                    <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                              factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
                    <Manager pathname=""/>
                    <JarScanner scanManifest="false"/>
                    <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" />
                </Context>
                <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>

            </Host>
            <Valve className="org.apache.catalina.valves.AccessLogValve"
                   pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/>
        </Engine>

      Note

      By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
      Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-59562 Tomcat version information disclosed when calling REST endpoints

          • Low - Low priority issues
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              adridi Arbi Dridi
              Votes:
              7 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated: