Hi,
The service exceptions may also contain messages from the java code for example NPE messages or something like this
<?xml version="1.0" ?><ServiceExceptionReport
version=“1.2.0”
xmlns=“http://www.opengis.net/ogc”
xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance”
xsi:schemaLocation=“http://www.opengis.net/ogc http://schemas.opengis.net/wfs/1.0.0/OGC-exception.xsd”>
java.lang.RuntimeException: Parsing failed for DIAMETRE: java.lang.NumberFormatException
Parsing failed for DIAMETRE: java.lang.NumberFormatException
null
In this case the content of the message may be as WFS 1.0.0 standard puts it “The content of the element is an exception message
that the service wished to convey to the client application”.
-Jukka Rahkonen-
···
Jody Garnett wrote:
In a perfect world the ServiceException would only return information when the client has made the mistake incorrectly, in this case the ServiceException looks to be due to a configuration problem with your data store?
That is a tricky one, you can cut down on the information returned during server configuration
There are a couple global settings about service exception here:about).
Try that, if your admin is still not satisfied you will need to do a code audit of the “JDBC DataStore” code and submit a patch masking any SQL Exception information that is passed back:
-
https://github.com/geotools/geotools/tree/master/modules/library/jdbc
-
https://github.com/geotools/geotools/tree/master/modules/plugin/jdbc/jdbc-oracle
If have you a team in place to do the work we would love the participation, if not check out the commercial support page.
a) The formal approach would be to introduce strict error codes (also used for translation) and provide a “minimal” translation of the error codes for use in production.
b) The quick band-aid would be to patch where GeoServer produces a ServiceException document and force it to provide no details of the mistake.
Normally a web service service would return an HTTP 500 Internal Server Error or something. An OGC WebService can actually return a HTTP 200 OK response that contains a ServiceException document.
Jody Garnett
On Thu, Jun 5, 2014 at 5:58 AM, Aijun Chen <aijunchen@…84…> wrote:
Hi,
We are using GeoServer WFS to serve Vector Data that are stored in Oracle Database in backend.
The WFS request directly returned errors that produced by Oracl DB to final users.
For example, when we submitted below WFS request to any GeoServer instance:
The GeoServer returned below errors to final users if backend database is Oracle (I did not have a chance to test PostGIS as backend database):
java.lang.RuntimeException: java.io.IOException java.io.IOException null ORA-01722: invalid number
This error directly discloses backend database information to final users.
Our security guys think that this is a secure vulnerability and we need fix it.
Considering that this error is directly returned by GeoServer.
I am seeking any comments/suggestion/advises from users and developers from GeoServer community to see if there is any way that we can fix this issue.
Any responses are highly appreciated!
Anderson Chen,
Learn Graph Databases - Download FREE O’Reilly Book
“Graph Databases” is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users