nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Hiding Error Text from UI

bshannon

It is obviously important that web applications keep technical errors from appearing in the user interface. The first thing that "white hat hackers" do is try and cause errors, to see if the application will give out information ( file paths, IP addresses, etc. ). 
 
To call a BIRT report we put the name of the report in the URL ( when calling /frameset... ). So, tweak the file name in the URL and you get an error back that gives the path to the reports on the server. Ouch. Severity #1 security issue. 
 
I've tried writing a servlet filter to catch this condition and stop it from going back to the UI - failure 
I've tried changing the source of the HTMLReportEmitter.java class and commenting out the 'outputErrors' call - also a failure 
 
Of course, I can use JavaScript or CSS to 'hide' the error from the UI, but the error text still came back to the browser, and the hacker/security dude can see it. 
 
I can't find a real solution! 
 
It really surprises me that the BIRT team hasn't put something in place to turn off detailed error messages. I like BIRT. I have lots of respect for what they've built. But this is really bad. Unless, of course, this was a design decision they made so that you have to step up to a paid product if you really want to use BIRT in production applications. If that's the case....they've successfully scr%@#ed me and I'm not liking them so much anymore. Either way, not cool. 
 
Has anyone fixed this? 
 
Brandon

Find more posts tagged with

Comments

JasonW

Brandon,

One way to fix this is to just remove the parameter form the messages file.
Extract the viewservlets.jar file (or add your own messages file) and look at the messages.properties file in this folder:
\org\eclipse\birt\report\resource\
Open the file and look for the error message and change it to
birt.viewer.generalException.REPORT_FILE_ERROR=The report file : does not exist or contains errors.

You may also want to change the document error message to.

Jason

bshannon

Uh, yea, um....that's a bit easier than what I was trying and will get me past the security scan. Thank you. 
 
Any comment on the topic in general? Any notion for BIRTs future to give us the option to simply turn off detailed error messages? 
 
Thanks, 
 
Brandon 
 
<blockquote class='ipsBlockquote' data-author="'JasonW'" data-cid="68181" data-time="1283871921" data-date="07 September 2010 - 08:05 AM">
Brandon, 
 
One way to fix this is to just remove the parameter form the messages file. 
Extract the viewservlets.jar file (or add your own messages file) and look at the messages.properties file in this folder: 
\org\eclipse\birt\report\resource\ 
Open the file and look for the error message and change it to 
birt.viewer.generalException.REPORT_FILE_ERROR=The report file : does not exist or contains errors. 
 
You may also want to change the document error message to. 
 
Jason </blockquote>

JasonW

Brandon

I thought this had already been logged in bugzilla but I can not seem to find the bug number. Do you mind logging it? It would be nice to have a web.xml setting to turn this off.

Jason

bshannon

You bet, and thanks again. 
 
P.S. -> For any future readers, you'll still get a Java Stack Trace in the UI, which I'm sure everyone agrees isn't good, but at least the path to the files on the server isn't there anymore. 
 
Brandon 
 
 
<blockquote class='ipsBlockquote' data-author="'JasonW'" data-cid="68189" data-time="1283875483" data-date="07 September 2010 - 09:04 AM">
Brandon 
 
I thought this had already been logged in bugzilla but I can not seem to find the bug number. Do you mind logging it? It would be nice to have a web.xml setting to turn this off. 
 
Jason </blockquote>

Anita Mathew

So what exactly does setting "BIRT_VIEWER_LOG_LEVEL" to OFF do? Is there really no way for me to turn off the Java Stack trace from appearing in the browser? I'm using BIRT 2.5.2.

Thanks,
A

JasonW

Turning the log level to off should stop the error from showing up in the log file. The stack trace in the generated report is created in the html emitter and currently the only way to disable it is to either modify the emitter code or put javascript in a text element to either forward to another page or parse the html and remove the div statements. To do a forward try something adding a text element (set its type to html) to the bottom of the report and enter a script like:

<script language="JavaScript">
var tst=<VALUE-OF>_jsContext.hasErrors()</VALUE-OF>
if( tst == true ){
window.location = "http://www.google.com";
}
</script>

Jason

spaddock

Has there ever been a fix for this? I've just upgraded to BIRT 3.7.1 and don't see a setting in the web.xml to do something like this. I changed the Messages file which helps a little but ultimately I need to turn on stack traces / error messages off as well. 
 
Kindest regards, 
Shayne 
 
 
<blockquote class='ipsBlockquote' data-author="'JasonW'" data-cid="68189" data-time="1283875483" data-date="07 September 2010 - 09:04 AM">
Brandon 
 
I thought this had already been logged in bugzilla but I can not seem to find the bug number. Do you mind logging it? It would be nice to have a web.xml setting to turn this off. 
 
Jason </blockquote>

JasonW

Referencing Eclipse.org/forums with same topic:
http://www.eclipse.org/forums/index.php/t/285379/

Jason