文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >出于安全原因,Jetty 9不想显示堆栈跟踪

出于安全原因,Jetty 9不想显示堆栈跟踪
EN

Stack Overflow用户
提问于 2021-04-07 02:54:09
回答 2查看 91关注 0票数 0

版本: jetty-9.4.38.v20210224,日志Slf4jLog,SpringBoot2.4.4,Spring5.3.5。

在我们的代码中执行了一个pentest,在使用cUrl发送了格式错误的报头之后,我们可以获得以下响应,揭示了Stacktrace并暴露了它使用的是Jetty:

代码语言:javascript
复制
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 400 Bad header value for X-Forwarded-Port</title>
</head>
<body><h2>HTTP ERROR 400 Bad header value for X-Forwarded-Port</h2>
<table>
<tr><th>URI:</th><td>/</td></tr>
<tr><th>STATUS:</th><td>400</td></tr>
<tr><th>MESSAGE:</th><td>Bad header value for X-Forwarded-Port</td></tr>
<tr><th>SERVLET:</th><td>-</td></tr>
<tr><th>CAUSED BY:</th><td>org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Port</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.NumberFormatException: For input string: &quot;zwrtxqvas9lm4kzkw0&quot;</td></tr>
</table>
<h3>Caused by:</h3><pre>org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Port
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.onError(ForwardedRequestCustomizer.java:550)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.customize(ForwardedRequestCustomizer.java:478)
    at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:384)
    at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
    at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:279)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
    at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
    at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:383)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:882)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1036)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NumberFormatException: For input string: &quot;zwrtxqvas9lm4kzkw0&quot;
    at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
    at java.lang.Integer.parseInt(Integer.java:580)
    at java.lang.Integer.parseInt(Integer.java:615)
    at org.eclipse.jetty.util.HostPort.parsePort(HostPort.java:171)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer$Forwarded.handleForwardedPort(ForwardedRequestCustomizer.java:856)
    at org.eclipse.jetty.server.ForwardedRequestCustomizer.customize(ForwardedRequestCustomizer.java:473)
    ... 15 more
</pre>

</body>
</html>

以前,为了不暴露Jetty版本,我禁用了SendServerVersion,但无法确定禁用堆栈跟踪的任何配置。

代码语言:javascript
复制
@Configuration
public class JettyConfiguration implements WebServerFactoryCustomizer<JettyServletWebServerFactory> {

    @Override
    public void customize(JettyServletWebServerFactory factory) {

        factory.addServerCustomizers(server -> {

            /* StatisticsHandler needed for graceful shutdown */
            StatisticsHandler statisticsHandler = new StatisticsHandler();
            statisticsHandler.setHandler(server.getHandler());
            server.setHandler(statisticsHandler);

            /* Autoforwarded Configuration */
            for (Connector connector : server.getConnectors()) {
                ConnectionFactory connectionFactory = connector.getDefaultConnectionFactory();
                if (connectionFactory instanceof HttpConnectionFactory) {
                    HttpConnectionFactory defaultConnectionFactory = (HttpConnectionFactory) connectionFactory;
                    HttpConfiguration httpConfiguration = defaultConnectionFactory.getHttpConfiguration();
                    httpConfiguration.setSendServerVersion(false);
                    httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
                }
            }

        });

    }

}

禁用堆栈跟踪的最佳方法是什么?提亚

spring
jetty-9
EN

回答 2

Stack Overflow用户

发布于 2021-04-07 05:00:02

Jetty作为大多数web服务器都会提供一个默认的异常处理程序。如果您不喜欢默认异常处理程序,请注册您的异常处理程序。

只需提供RunntimeException的ExceptionHandler和一般错误即可。例如后端失败,请稍后重试,状态为500。

有很多关于如何在spring中实现异常处理程序的文章。我加了一个只是为了参考。

exception handling spring boot

票数 1
EN

Stack Overflow用户

发布于 2021-04-12 22:37:12

首先尝试通过使用@ControllerAdvice实现一个GlobalExceptionHandler来解决这个问题,不幸的是,这似乎没有被触发,我相信这与它意味着由MVC抛出异常的事实有关。

笔式测试器制作的请求使用了格式错误的头部,所以错误是由ErrorHandler抛出的,我最终创建了自己的ErrorHandler并覆盖了handle方法。

这看起来很管用,但可能太严格了,我担心这会使以后的调试变得困难。有什么建议或改进吗?谢谢

代码语言:javascript
复制
import org.eclipse.jetty.server.*;
import org.eclipse.jetty.server.handler.ErrorHandler;
import org.springframework.boot.web.embedded.jetty.JettyServerCustomizer;
import org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory;
import org.springframework.boot.web.server.WebServerFactoryCustomizer;
import org.springframework.context.annotation.Configuration;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

@Configuration
public class JettyConfiguration implements WebServerFactoryCustomizer<JettyServletWebServerFactory> {

    @Override
    public void customize(JettyServletWebServerFactory factory) {

        JettyServerCustomizer customizer = server -> {
            MyErrorHandler myErrorHandler = new MyErrorHandler();
            myErrorHandler.setShowStacks(false);
            myErrorHandler.setShowMessageInTitle(false);
            myErrorHandler.setShowServlet(false);
            server.setErrorHandler(myErrorHandler);
        };
        factory.addServerCustomizers(customizer);

        factory.addServerCustomizers(server -> {

            /* Autoforwarded Configuration */
            for (Connector connector : server.getConnectors()) {
                ConnectionFactory connectionFactory = connector.getDefaultConnectionFactory();
                if (connectionFactory instanceof HttpConnectionFactory) {
                    HttpConnectionFactory defaultConnectionFactory = (HttpConnectionFactory) connectionFactory;
                    HttpConfiguration httpConfiguration = defaultConnectionFactory.getHttpConfiguration();
                    httpConfiguration.setSendServerVersion(false);
                    httpConfiguration.addCustomizer(new ForwardedRequestCustomizer());
                }
            }

        });

    }


    static class MyErrorHandler extends ErrorHandler {

        @Override
        public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException
        {
            //doError(target, baseRequest, request, response);
        }

    }

}
票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/66974799

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档