Is this the right way to supress the stacktrace from error 500 pages ?
said kouzibry
Rising Star 
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Hi,
On Jira server 8.13.10,
if I run the following POST request on my jira instance
baseurl/secure/ForgotLoginDetails.jspa?forgotten=forgotPassword&username=testinvalid%00:&email=testinvalid
I get an error page with the stacktrace included, this stacktrace includes sql queries, version of tomcat, version of jira, various other jar file version, needless to say, having such information publicly available put our jira instance at risk.
The solution I did find was to supress the stacktrace from the soy template of the error 500 page.
at the file
[INSTALL]/atlassian-jira/templates/jira/errors/error500.soyI comment the lines below
This does work, so my questions are as follows :
- Is this the right way of supressing the stacktrace from error pages ?
- If not, what is the best way I could do it ?
- If no other way, are there any risks to doing it this way ?
Thank you.