Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 324676

Summary: Report Viewer should not return detailed technical errors to the user interface
Product: z_Archived Reporter: Brandon <brandon.shannon>
Component: BIRTAssignee: Birt-ReportViewer <Birt-ReportViewer-inbox>
Status: NEW --- QA Contact: Xiaoying Gu <bluesoldier>
Severity: major    
Priority: P3 CC: bluesoldier
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Windows XP   
Whiteboard:

Description Brandon CLA 2010-09-07 13:15:47 EDT 
Build Identifier: 3.4.1

Report Viewer should not return detailed technical errors to the user interface.

For example, if the file name put on the request to the report viewer is not valid, the error that is returned to the UI contains the path to the report files on the server.  That is great during development and testing, but isn't so good in production.  In production, with real end users, the BIRT Viewer should never return detailed technical errors to the UI.

There should be a setting ( web.xml or .properties file ) that essentially 'turns off' detailed and technical error messages for security purposes.

I'm classifying this as Major because typically people wouldn't let this type of security issue into production.

Reproducible: Always

Steps to Reproduce:
1. Run a report
2. Mess up the name of the report in the /frameset mapping URL
3. You'll get an error back that shows the path to the report files on the server.