[Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@…84…]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@…6847…>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

···

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@…6847…> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@…6847…> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@…84…]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@lists.sourceforge.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Dear Jukka Rahkonent,

Thanks a lot for response and explaining detail.

Best Regards,
Naresh.N

On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@anonymised.com…84…]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com.>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@anonymised.com]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@anonymised.come.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hello Jukka,

the ‘java.lang.NumberFormatException’ is only one example for error messages that expose system details. There might be a lot of other information that will be shown to potential attackers when detailed error messages are shown to the user, f.e. database related errors showing the database vendor (and indirectly also the database version).

So I also think that error messages should be more generic!

Regards

Daniel

···

Dear Jukka Rahkonent,

Thanks a lot for response and explaining detail.

Best Regards,

Naresh.N

On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) <jukka.rahkonen@…6847…> wrote:

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@…84…]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@…6847…>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@…6847…> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@…6847…> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@…84…]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@lists.sourceforge.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

We’re always happy to receive improvements.

Ian

···

Ian Turton

Dear All,
Is it possible to display generice error messages by doing any settings in Geoserver. If it is not possible , is there any way not displaying/showing any kind of error messages to users.

Please let me know.

Thanks&Regards,
Naresh

On Tue, Sep 11, 2018 at 6:34 PM Ian Turton <ijturton@anonymised.com> wrote:

We’re always happy to receive improvements.

Ian

On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing. <Daniel.Calliess@anonymised.com> wrote:

Hello Jukka,

the ‘java.lang.NumberFormatException’ is only one example for error messages that expose system details. There might be a lot of other information that will be shown to potential attackers when detailed error messages are shown to the user, f.e. database related errors showing the database vendor (and indirectly also the database version).

So I also think that error messages should be more generic!

Regards

Daniel

From: Naresh N [mailto:naresh919@anonymised.com]
Sent: Friday, August 31, 2018 11:20 AM
To: jukka.rahkonen@anonymised.com
Cc: Geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks a lot for response and explaining detail.

Best Regards,

Naresh.N

On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@anonymised.com]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@anonymised.com4…]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@anonymised.com.sourceforge.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.comt
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Ian Turton


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Naresh,

I do not believe it is possible which is why Ian was suggesting improvements are always welcome.

Needless to say, security through obscurity is pretty poor security, which is likely why this hasn’t been done yet. Even as merely one layer of security. If your security relies on an attacker not knowing your database vendor and/or version, you have bigger problems than the content of an error message. If your db version is anything other than something very close to “latest-stable” then you are already likely open to have known vulnerabilities, and there are only a tiny handful of real database options.

Now, from a user-friendliness perspective, a more user-friendly error than GeoServer’s “here’s a big wall of scary technical stuff that only really means anything to a few dozen people in the world” would be great, at least for the basic errors like “your SLD is borked”. That said, posting parts of said big wall to this list does frequently elicit the help of such people… so… swings and roundabouts.

Cheers,

Jonathan

···

On 12/09/2018 09:36, Naresh N wrote:

Dear All,
Is it possible to display generice error messages by doing any settings in Geoserver. If it is not possible , is there any way not displaying/showing any kind of error messages to users.

Please let me know.

Thanks&Regards,
Naresh

On Tue, Sep 11, 2018 at 6:34 PM Ian Turton <ijturton@anonymised.com> wrote:

We’re always happy to receive improvements.

Ian

On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing. <Daniel.Calliess@…8565…> wrote:

Hello Jukka,

the ‘java.lang.NumberFormatException’ is only one example for error messages that expose system details. There might be a lot of other information that will be shown to potential attackers when detailed error messages are shown to the user, f.e. database related errors showing the database vendor (and indirectly also the database version).

So I also think that error messages should be more generic!

Regards

Daniel

From: Naresh N [mailto:naresh919@anonymised.com]
Sent: Friday, August 31, 2018 11:20 AM
To: jukka.rahkonen@anonymised.com
Cc: Geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks a lot for response and explaining detail.

Best Regards,

Naresh.N

On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@anonymised.com]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com…> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@anonymised.com> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@anonymised.com4…]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@lists.sourceforge.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Ian Turton


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.coms.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: [http://www.ianturton.com/talks/foss4g.html#/](http://www.ianturton.com/talks/foss4g.html#/)
- The GeoServer user list posting guidelines: [http://geoserver.org/comm/userlist-guidelines.html](http://geoserver.org/comm/userlist-guidelines.html)

If you want to request a feature or an improvement, also see this: [https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer](https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer)

[Geoserver-users@lists.sourceforge.net](mailto:Geoserver-users@anonymised.comsourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-users](https://lists.sourceforge.net/lists/listinfo/geoserver-users)

I think a “suppress error messages” mode would be a nice-to-have feature. It would certainly make our customers happy to see those findings disappear from scan reports.

Also, the full error messages should pretty much always be available in the server log. Displaying a generic error and saying “please check the server log” doesn’t seem unreasonable.

Jason

···

On Mon, Sep 17, 2018 at 3:31 PM, Jonathan Moules <jonathan-lists@anonymised.com> wrote:

Hi Naresh,

I do not believe it is possible which is why Ian was suggesting improvements are always welcome.

Needless to say, security through obscurity is pretty poor security, which is likely why this hasn’t been done yet. Even as merely one layer of security. If your security relies on an attacker not knowing your database vendor and/or version, you have bigger problems than the content of an error message. If your db version is anything other than something very close to “latest-stable” then you are already likely open to have known vulnerabilities, and there are only a tiny handful of real database options.

Now, from a user-friendliness perspective, a more user-friendly error than GeoServer’s “here’s a big wall of scary technical stuff that only really means anything to a few dozen people in the world” would be great, at least for the basic errors like “your SLD is borked”. That said, posting parts of said big wall to this list does frequently elicit the help of such people… so… swings and roundabouts.

Cheers,

Jonathan

On 12/09/2018 09:36, Naresh N wrote:

Dear All,
Is it possible to display generice error messages by doing any settings in Geoserver. If it is not possible , is there any way not displaying/showing any kind of error messages to users.

Please let me know.

Thanks&Regards,
Naresh

On Tue, Sep 11, 2018 at 6:34 PM Ian Turton <ijturton@anonymised.com> wrote:

We’re always happy to receive improvements.

Ian

On Tue, 11 Sep 2018 at 13:52, Calliess Daniel Ing. <Daniel.Calliess@anonymised.comsalzburg.at> wrote:

Hello Jukka,

the ‘java.lang.NumberFormatException’ is only one example for error messages that expose system details. There might be a lot of other information that will be shown to potential attackers when detailed error messages are shown to the user, f.e. database related errors showing the database vendor (and indirectly also the database version).

So I also think that error messages should be more generic!

Regards

Daniel

From: Naresh N [mailto:naresh919@anonymised.com]
Sent: Friday, August 31, 2018 11:20 AM
To: jukka.rahkonen@maanmittauslaitos.fi
Cc: Geoserver-users@anonymised.comsourceforge.net
Subject: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks a lot for response and explaining detail.

Best Regards,

Naresh.N

On Thu, Aug 30, 2018 at 5:56 PM Rahkonen Jukka (MML) <jukka.rahkonen@maanmittauslaitos.fi> wrote:

Hi,

If you use just non-supported outputformat

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=330&srs=EPSG%3A4326&format=image/png88

then the error is

There is no support for creating maps in image/png88 format

Your error comes from non-numeric height parameter

http://localhost:8080/geoserver/topp/wms?service=WMS&version=1.1.0&request=GetMap&layers=topp%3Astates&bbox=-124.73142200000001%2C24.955967%2C-66.969849%2C49.371735&width=768&height=acu330&srs=EPSG%3A4326&format=image/png8

gives similar error

java.lang.NumberFormatException: For input string: "acu330"

By reading the WMS 1.3.0 standard such invalid WIDTH and HEIGHT parameters are not really deald in it. What is closest is in this:
“If the WMS server has declared that a Layer has fixed width and height, as described in 7.2.4.7.5, then the client shall specify exactly those WIDTH and HEIGHT values in the GetMap request and the server may issue a service exception otherwise.”

The message reveals that server is Java based which is something that the end user does not need to know. It is also telling that number format used in the request is not correct and that’s useful information for the user. Disabling the whole exception in not possible because it is mandatory. So what is left is filtering the “java.lang” away. I believe it could be done (I am not a developer) but I believe that it would not be any huge improvement for the security. If somebody proves that I am wrong I can change my mind.

-Jukka Rahkonen-

Lähettäjä: Naresh N [mailto:naresh919@anonymised.com]
Lähetetty: 30. elokuuta 2018 9:52
Vastaanottaja: Rahkonen Jukka (MML) <jukka.rahkonen@maanmittauslaitos.fi>
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Dear Jukka Rahkonent,

Please find the below request

http://bhuvan-suvidha.nrsc.gov.in/geoserver/wms/reflect?layers=geonode:kds_name&width=200&height=150&format=image/png8&fo

rmat=image/png8&height=acu7746%EF%BC%9Cs1%EF%B9%A5s2%CA%BAs3%CA%B9uca7746&layers=geonode

:kds_name&width=200

The above request is generated by Web Application Security tool, and is is listed as security alert as it is showing the error message as java.lang.Number Format Exception. Recommendation is to disable the error message. Kindly help me to resolve this.

Thanks&Regards,

Naresh

On Thu, Aug 30, 2018 at 11:17 AM Rahkonen Jukka (MML) <jukka.rahkonen@maanmittauslaitos.fi> wrote:

Hi,

Please show the whole request with the wrong &FORMAT= parameter.

-Jukka Rahkonen-


Lähettäjä: Naresh N
Lähetetty: ‎30.‎8.‎2018 7:22
Vastaanottaja: Rahkonen Jukka (MML)
Aihe: Re: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Dear Jukka Rahkonent,

Thanks for the response. The error message ’ java.lang.Number FormatException’ belongs to InvaildFormat. Instead of showing service exception i.,e java.lang.Number Format Exception, how to display InvalidFormat message to user. Although this erros is not displaying any sensitive information, as per our security alerts measure, we want disable the error messages. Kindly let me know how to do.

Thanks&Regards,

Naresh

On Wed, Aug 29, 2018 at 8:08 PM Rahkonen Jukka (MML) <jukka.rahkonen@maanmittauslaitos.fi> wrote:

Hi,

I suppose that you mean the contents " java.lang.NumberFormatException: For input string:". Exceptions are compulsory by the WMS standard. The following codes are reserved for special meanings.

InvalidFormat
InvalidCRS
LayerNotDefined
StyleNotDefined
LayerNotQueryable
InvalidPoint
CurrentUpdateSequence
InvalidUpdateSequence
MissingDimensionValue
InvalidDimensionValue
OperationNotSupported

The error that triggers your error does not quite suit with these predefined meanings and therefore the error code must be something else. The code that you get now is “java.lang.NumberFormatException”. At least it is somewhat informative but would you rather see some other text as an error message?

Client can also ask exceptions in another format with &EXCEPTIONS=INIMAGE of &EXCEPTIONS=BLANK, but the default XML format is still mandatory and it can’t be turned off.

-Jukka Rahkonen-

-----Alkuperäinen viesti-----
Lähettäjä: naresh [mailto:naresh919@anonymised.com]
Lähetetty: 29. elokuuta 2018 16:33
Vastaanottaja: geoserver-users@anonymised.comsourceforge.net
Aihe: [Geoserver-users] Disabling error response of WMS/WFS to the Clients/users

Hello ALL,

Please see the following error message received on wrong values of params of WMS reqeust



java.lang.NumberFormatException: For input string: “” For input string: “”

I want to disable the error message, it should not be displayed to user

*How to disable errors displaying messages in Geoserver. *

Please help solving my issue

Thanks&Regards,
Naresh


Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


Check out the vibrant tech community on one of the world’s most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Ian Turton


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: [http://www.ianturton.com/talks/foss4g.html#/](http://www.ianturton.com/talks/foss4g.html#/)
- The GeoServer user list posting guidelines: [http://geoserver.org/comm/userlist-guidelines.html](http://geoserver.org/comm/userlist-guidelines.html)

If you want to request a feature or an improvement, also see this: [https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer](https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer)

[Geoserver-users@anonymised.com.382...sourceforge.net](mailto:Geoserver-users@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-users](https://lists.sourceforge.net/lists/listinfo/geoserver-users)


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@anonymised.com.382…sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Jason Newmoyer
Newmoyer Geospatial Solutions
843.606.0424
jason@anonymised.com