324676 – Report Viewer should not return detailed technical errors to the user interface

Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 324676 - Report Viewer should not return detailed technical errors to the user interface

Summary: Report Viewer should not return detailed technical errors to the user interface

Status:	NEW

Alias:	None

Product:	z_Archived
Classification:	Eclipse Foundation
Component:	BIRT (show other bugs)
Version:	unspecified
Hardware:	PC Windows XP

Importance:	P3 major (vote)
Target Milestone:	---
Assignee:	Birt-ReportViewer
QA Contact:	Xiaoying Gu

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-07 13:15 EDT by Brandon
Modified:	2010-11-17 22:40 EST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Brandon

2010-09-07 13:15:47 EDT

Build Identifier: 3.4.1

Report Viewer should not return detailed technical errors to the user interface.

For example, if the file name put on the request to the report viewer is not valid, the error that is returned to the UI contains the path to the report files on the server.  That is great during development and testing, but isn't so good in production.  In production, with real end users, the BIRT Viewer should never return detailed technical errors to the UI.

There should be a setting ( web.xml or .properties file ) that essentially 'turns off' detailed and technical error messages for security purposes.

I'm classifying this as Major because typically people wouldn't let this type of security issue into production.

Reproducible: Always

Steps to Reproduce:
1. Run a report
2. Mess up the name of the report in the /frameset mapping URL
3. You'll get an error back that shows the path to the report files on the server.