Prevent error message in reponse header


#1

Is it possible to stop the error response header (exception-message) being written when an error occurs?

I have pretty good error handling where the error message is never shown to the user but I notice it’s still written to the response header.


#2

<cfset getPageContext().getResponse().setHeader("exception-message","")>


#3

Thanks Micha11,
This header was only getting set when using an ajax call.
I added this to my error page (set in administrator) and now all is good!

<cfscript>
  response = getPageContext().getResponse();
  response.setHeader( "exception-message", "Sorry, something went wrong..." );
  //response.setStatus("500");
</cfscript>

#4

I’m not sure what I’m missing here (because there’s a good chance that I don’t understand what you’re trying to do), but why use getPageContext().getResponse().setHeader() instead of the cfheader tag?


#5

Check out this tickets:

https://luceeserver.atlassian.net/browse/LDEV-1217
and a duplicate:
https://luceeserver.atlassian.net/browse/LDEV-1544

As you can see, these tickets are still in the backlog so they’ve never been completed. I would recommend creating some noise on those ticket (Comments, votes) so our fearless PM @IamSigmund can get it on his radar.


#6

I don’t understand what you’re trying to do” - Ok… basically there’s a real security problem with an ajax call exposing the error message through the response header. This has been well documented ( I found out afterwards) and is easily rectified.

Why not use cfheader? I’m not sure really!! Don’t get me wrong, I love Lucee but I gave up using tags like cfform, cftable etc (over 10 yrs ago!) because it was simpler (once you understand html) not to use them. Likewise if I can get closer to the native java code that Lucee compiles to I will always endeavour to do so because it gives me greater control and hopefully as I integrate more with java a better understanding.


#7

I have seen the open tickets in JIRA since I asked that question, and have assigned them to myself for the next sprint.

I agree about cfform and cftable, but cfheader is not a client-side “layout” tag. It sets an http response header just like the one that you’re setting using Java, but your Java code uses Reflection which is slower than the compiled version of cfheader so you’re really not gaining anything.

Then again, if the response buffer is flushed then it wouldn’t help you anyway.

We will look at these tickets soon.


#8

Thanks isapir,
If anyone else (like me!) is wondering what ‘Reflection’ is, here is a useful link on stackoverflow:


#9

FYI: Ticket LDEV-1217 (and therefore LDEV-1544) is solved for Lucee 5.2.7.16

Now the header is only sent if Debug Output is enabled for the Request.


#10

Great! thank you isapir