I’ve been using Foundeo’s excellent HackMyCF scanning tool since the Railo days and I have never been able to “fix” the error
Server is returning exception-message header
The default error handler for Railo or Lucee will return a HTTP response header called exception-message with the exception error message. This header may contain information that should not be disclosed to the public such as file system paths or other information that should not be disclosed. Railo 4.2.1.004 partially fixes this by default. Configure your web server to remove or overwrite this header.
_More Information: http://jira.jboss.org/jira/browse/RAILO-3127_
I know there was some work on this as noted in the jira link but it doesn’t seem to have progressed in Lucee (?)
Is there anything planned for this or does anyone have a workaround? Does v5 address this?
Jay - thanks for bringing this up - it would be great to have the header disabled by default for remote method calls in Lucee. You probably should file a new bug (and post it here) if one does not already exist.
You might be able to have IIS strip out the header value using something like this:
Hey Pete, Pothys is asking for more details in the bug report. Do you think you could pop in and explain exactly what’s triggering the warning in HMCF.
Just noticed Lucee exposes the path in the error message for argument validation
invalid call of the function exposePath (ram:///main1507860812701-dc89ba6a-2655-24be-a16f-b9e23c7c528a.cfm-1F9873BB-0C7F-4955-80E1E55B0DB19474.cfm), first Argument (id) is of invalid type, can't cast String [1,2] to a value of type [numeric] on line 6
)