If you trigger an uncaught error in Stapler, such as browsing /static/ prior to stapler 552aaab, the stack trace is displayed in the web browser. This is usually harmless but there could in principle be stack traces which expose internal details of value to an attacker. These should be suppressed.
- relates to
-
JENKINS-60410 Suppress stack traces in core
-
- Resolved
-
Code changed in jenkins
User: Jesse Glick
Path:
core/src/main/java/hudson/security/csrf/CrumbFilter.java
core/src/main/java/jenkins/model/Jenkins.java
core/src/main/resources/jenkins/model/Jenkins/error.jelly
core/src/main/resources/jenkins/model/Jenkins/error.properties
war/src/main/webapp/WEB-INF/web.xml
http://jenkins-ci.org/commit/jenkins/121c1312d5bd9c69f5d9a859926659217c69e61d
Log:
JENKINS-17782Set a custom error page for the web app and suppress stack traces for non-administrators.Needs a matching change in Stapler.