On 1/10/2014 3:28 PM, August Kleimo wrote:
I'm failing a PCI compliance scan because my Tomcat Version 7.0.20 server
is revealing the path to the document web root in an "exception-message"
header when a missing page is requested.
Does anyone know of way to get rid of this header from the response?
Note: I'm running Railo 4.1.2 on top of Tomcat ... but I think this header
is coming from Tomcat.
$ curl -I http://mydomain.com/this-page-does-not-exist.html
HTTP/1.1 404 Not Found
Date: Fri, 10 Jan 2014 23:23:22 GMT
Server: Apache-Coyote/1.1
exception-message: Page
/this-page-does-not-exist.html [/var/www/html/this-page-does-not-exist.html]
not found
Content-Type: text/html;charset=UTF-8
Content-Length: 44
Set-Cookie: cfid=686ea13b-ef35-43c3-b6e4-08270bbb4718;Path=/;Expires=Sun,
10-Jan-2044 07:14:52 GMT;HTTPOnly
Set-Cookie: cftoken=0;Path=/;Expires=Sun, 10-Jan-2044 07:14:52 GMT;HTTPOnly
Connection: close
From Tomcat 7.0.42 / APR Native on Fedora 20 with jre 1.7.0_45:
curl -I http://localhost:8080/this-does-not-exist.html
HTTP/1.1 404 Not Found
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 999
Date: Fri, 10 Jan 2014 23:46:44 GMT
A quick grep of the Tomcat 7 trunk code does not reveal the string
'exception-message' anywhere.
I didn't see anything in the change log concerning this, either.
. . . . just my (waiting for testing to be done) two cents
/mde/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
