Hide Stacktrace in production

Help / Discuss
#1

Hi,

Is there a way to hide this stacktrace and display only the generic error message instead?

The following example URL causes a stacktrace: http://bjoerne.xwiki.org/xwiki/bin/view/Main/?rev=<html+lang%3D"en-US"><head>

Version: 14.4.6

#2

@tmortagne Do you have a hint for me? It came up when we executed an automated penetration test. So, it is a security issue for us.
The bjoerne.xwiki.org link is just an example. I guess that you can produce the error with every XWiki installation.
For me it’s not important to fix the error 500 in the first place, but to hide the stack trace.
Thank you,
Björn

#3

Why is this stack trace a security issue ?

Anyway, what print this stack trace is the exception.vm template, $exp.getFullMessage() to be precise. I guess you could decide to comment it if you really need to.

#4

On my machine this line is located in exceptioninline.vm but commenting it does not deliver the results I was looking for, because the template fails when this is commented.

#5

Indeed, I answered too fast, it’s actually in exceptioninline.vm which is included in exception.vm.

What kind of error do you get ? You should comment the whole line and in Velocity the comment syntax is two # so you should end up with

    ##$escapetool.xml($exp.getFullMessage())
#6

Oh, damn, did not know that. I looked at the other comments in the file and they were only using one # so I thought this was enough.

Thanks, working fine now, no stack traces anymore!

#7

#if is not a comment, it’s actual code (a if condition here).

#8

thanks for the explanation, I did not know that and was wondering why this was working with this many comments. :grimacing:

EDIT: it would be great if instead of these stack traces, there’d be a trouble/error id and a separate error log, so admins could look at the corresponding logs to find the error faster.

#9

Thank you guys, that helped!! I could fix it in my XWiki installation.

#10

Glad it worked for you too. I recommend commenting out the line $services.localization.render('detailedinformation'):<br/> too, to get rid of the line “Detailed Information:” line on the error page as well.