最近在扫描项目漏洞时,出现扫描出Application error message问题,百度搜索解决方案是修改web.xml的error-page,但由于错误直接由tomcat拦截处理,这种方式解决不了此问题,后发现是由于tomcat升级后tomcat对http请求特殊符号进行了更严格的控制,如果不符合则报400错误,页面可能会泄露后台信息,因此需要自定义信息
解决此问题需要重写ErrorReportValve这个类的report方法如下
package error;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.util.logging.Logger;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ErrorReportValve;
public class CustomErrorReportValve extends ErrorReportValve {
//Create a simple logger
Logger log = Logger.getLogger(CustomErrorReportValve.class.getName());
@Override
protected void report(Request request, Response response, Throwable t) {
try {
// Write a more friendly, less technical message to the user
BufferedWriter out = new BufferedWriter(new OutputStreamWriter(response.getOutputStream()));
out.write("<html><head><title>Oops</title><body>");
out.write("<h1>Oops</h1>");
out.write("<p>Well, that didn't go as we had expected.</p>");
out.write("<p>Don't worry though, we're working on it.</p>");
out.write("</body></html>");
out.close();
// Log the error with your favorite logging framework...
log.severe("Uncaught throwable was thrown: " + t.getMessage());
} catch (IOException e) {
e.printStackTrace();
}
}
}
然后修改tomcat的server.xml的以下配置:
<Host errorReportValveClass="com.upcrob.example.valves.CustomErrorReportValve" . . . />
然后重启tomcat就ok了