MMBase

Web-site visitor can pollute the logs

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: 1.9.0
  • Fix Version/s: 2.0.0
  • Component/s: Core
  • Description:
    Hide
    A visitor of an mmbase web-site can pollute the logs by hacking in the URL.

    E.g. by changing a node-number in the URL to a node number of the wrong type:

    mitulo/ 2009-04-06 13:07:16,434 WARN mmbase.module.core.MMObjectNode checkFieldExistance.454 - Application stacktrace
            at org.mmbase.bridge.jsp.taglib.FieldTag.doStartTag(FieldTag.java:236)
            at org.apache.jsp.nazorg.thema.themes.articles.article_jsp._jspx_meth_mm_005ffield_005f28(article_jsp.java:5791)


    mitulo/ 2009-04-06 13:07:16,071 WARN mmbase.module.core.ClusterBuilder addRelationDirections.1127 - No relation defined between typedef and ima
    ges using RelationStep(tablename:descposrel, alias:descposrel, nodes:null, dir:destination, role:DescriptionPositionRelation/descposrel) with di
    rection(s) DESTINATION. Trying anyway, but perhaps the query should be fixed, because this should always result nothing.



    These are sensible warnings, but it would be good if you could easily configure them away on a production environment.
    Show
    A visitor of an mmbase web-site can pollute the logs by hacking in the URL. E.g. by changing a node-number in the URL to a node number of the wrong type: mitulo/ 2009-04-06 13:07:16,434 WARN mmbase.module.core.MMObjectNode checkFieldExistance.454 - Application stacktrace         at org.mmbase.bridge.jsp.taglib.FieldTag.doStartTag(FieldTag.java:236)         at org.apache.jsp.nazorg.thema.themes.articles.article_jsp._jspx_meth_mm_005ffield_005f28(article_jsp.java:5791) mitulo/ 2009-04-06 13:07:16,071 WARN mmbase.module.core.ClusterBuilder addRelationDirections.1127 - No relation defined between typedef and ima ges using RelationStep(tablename:descposrel, alias:descposrel, nodes:null, dir:destination, role:DescriptionPositionRelation/descposrel) with di rection(s) DESTINATION. Trying anyway, but perhaps the query should be fixed, because this should always result nothing. These are sensible warnings, but it would be good if you could easily configure them away on a production environment.

Issue Links

Activity

Hide
Michiel Meeuwissen added a comment - 2009-04-06 13:30
I suggest to introduce new logging-categories for these.

org.mmbase.CHECKS.FIELD_EXISTANCE
org.mmbase.CHECKS.TYPE_RELS

or so.

you can then configure org.mmbase.CHECKS to ERROR on log4j.xml of a production environment.

Show
Michiel Meeuwissen added a comment - 2009-04-06 13:30 I suggest to introduce new logging-categories for these. org.mmbase.CHECKS.FIELD_EXISTANCE org.mmbase.CHECKS.TYPE_RELS or so. you can then configure org.mmbase.CHECKS to ERROR on log4j.xml of a production environment.
Hide
Michiel Meeuwissen added a comment - 2009-04-06 15:25
BTW, a useful logging.properties for Tomcat may be:


# File present because of http://marc.info/?l=tomcat-user&m=121803589531634&w=2
# http://www.nabble.com/Setting-CATALINA_BASE-failed-with-tomcat-6.0.18-td18844106.html

handlers = org.apache.juli.FileHandler
org.apache.juli.FileHandler.level = FINE
org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter
org.apache.juli.FileHandler.directory = ${catalina.base}/logs
org.apache.juli.FileHandler.prefix = catalina.


############################################################
# Facility specific properties.
# Provides extra control for each logger.
############################################################

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = org.apache.juli.FileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = org.apache.juli.FileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].handlers = org.apache.juli.FileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = org.apache.juli.FileHandler



// Avoid that errors from pages are logged and pollute our log
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default].level = OFF
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default].handlers = org.apache.juli.FileHandler

org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[jsp].level = OFF
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[jsp].handlers = org.apache.juli.FileHandler
Show
Michiel Meeuwissen added a comment - 2009-04-06 15:25 BTW, a useful logging.properties for Tomcat may be: # File present because of http://marc.info/?l=tomcat-user&m=121803589531634&w=2 # http://www.nabble.com/Setting-CATALINA_BASE-failed-with-tomcat-6.0.18-td18844106.html handlers = org.apache.juli.FileHandler org.apache.juli.FileHandler.level = FINE org.apache.juli.FileHandler.formatter = java.util.logging.SimpleFormatter org.apache.juli.FileHandler.directory = ${catalina.base}/logs org.apache.juli.FileHandler.prefix = catalina. ############################################################ # Facility specific properties. # Provides extra control for each logger. ############################################################ org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].handlers = org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/admin].handlers = org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].handlers = org.apache.juli.FileHandler // Avoid that errors from pages are logged and pollute our log org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default].level = OFF org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[default].handlers = org.apache.juli.FileHandler org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[jsp].level = OFF org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/].[jsp].handlers = org.apache.juli.FileHandler

People

Dates

  • Created:
    2009-04-06 13:19
    Updated:
    2009-04-06 15:25