how to hidden or custom the error page (stack trace), thanks

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

how to hidden or custom the error page (stack trace), thanks

Momo

Jenkins was vulnerability detected by web vulnerability scanner
when entering a specific string on the login page, it causes Jenkins to generate error message as follow...
how to disable(hidden) or custom error page to solve this vulnerability (sensitive information)...

i tried
1. use the latest version (Jenkins)
2. edit web.xml (<error-page>)
3. use suppress stack trace plugin
but still show Oops! and stack trace message

Thanks!

Stack trace
org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte Bf in state 0
    at org.eclipse.jetty.util.Utf8Appendable.appendByte(Utf8Appendable.java:254)
    at org.eclipse.jetty.util.Utf8Appendable.append(Utf8Appendable.java:155)
    at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:522)
    at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:577)
    at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:568)
    at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:519)
    at org.eclipse.jetty.server.Request.getParameters(Request.java:430)
Caused: org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
    at org.eclipse.jetty.server.Request.getParameters(Request.java:434)
    at org.eclipse.jetty.server.Request.getParameter(Request.java:1059)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.obtainUsername(AuthenticationProcessingFilter.java:113)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:53)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
.....

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c3aee488-f1be-403c-9f95-96654d2e2fca%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: how to hidden or custom the error page (stack trace), thanks

Adrien Lecharpentier
If you used the Suppress Stack Trace plugin but you still have the stack traces, maybe you need to fill a bug on the plugin tracker.

Le mer. 22 janv. 2020 à 15:53, Momo <[hidden email]> a écrit :

Jenkins was vulnerability detected by web vulnerability scanner
when entering a specific string on the login page, it causes Jenkins to generate error message as follow...
how to disable(hidden) or custom error page to solve this vulnerability (sensitive information)...

i tried
1. use the latest version (Jenkins)
2. edit web.xml (<error-page>)
3. use suppress stack trace plugin
but still show Oops! and stack trace message

Thanks!

Stack trace
org.eclipse.jetty.util.Utf8Appendable$NotUtf8Exception: Not valid UTF8! byte Bf in state 0
    at org.eclipse.jetty.util.Utf8Appendable.appendByte(Utf8Appendable.java:254)
    at org.eclipse.jetty.util.Utf8Appendable.append(Utf8Appendable.java:155)
    at org.eclipse.jetty.util.UrlEncoded.decodeUtf8To(UrlEncoded.java:522)
    at org.eclipse.jetty.util.UrlEncoded.decodeTo(UrlEncoded.java:577)
    at org.eclipse.jetty.server.Request.extractFormParameters(Request.java:568)
    at org.eclipse.jetty.server.Request.extractContentParameters(Request.java:519)
    at org.eclipse.jetty.server.Request.getParameters(Request.java:430)
Caused: org.eclipse.jetty.http.BadMessageException: 400: Unable to parse form content
    at org.eclipse.jetty.server.Request.getParameters(Request.java:434)
    at org.eclipse.jetty.server.Request.getParameter(Request.java:1059)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.obtainUsername(AuthenticationProcessingFilter.java:113)
    at org.acegisecurity.ui.webapp.AuthenticationProcessingFilter.attemptAuthentication(AuthenticationProcessingFilter.java:53)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:252)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93)
.....

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/c3aee488-f1be-403c-9f95-96654d2e2fca%40googlegroups.com.


--
Adrien Lecharpentier

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/CAKwJSvyDWXa4hUPQF9r-Tzr8h%3DmpjLjO-pMbjY8LB33vyThWEw%40mail.gmail.com.