You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Francis Daly <de...@daoine.org> on 2002/10/29 15:04:04 UTC
[PATCH] ServerSignature privacy - option 1
Hi there,
About a year ago, there was a discussion about the fact that
"ServerTokens" could be used to limit the detailed information sent
about the server on every request, while "ServerSignature" only showed
the full product version (or nothing at all).
(See, for example, <URL:
http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=100323367832594&w=2>
as a starting point -- the threads "Better privacy with
SERVER_SIGNATURE" and "[PATCH] for ServerSignatures / ServerTokens" are
the relevant ones)
[ ServerSignature is the option that sets how the bottom of a
mod_autoindex-generated page looks. The information it generates (in the
function ap_psignature in server/core.c) can also appear in the output
mod_dav, mod_info, and mod_status, amongst other places ]
I prefer to have ServerSignature reveal no more information that the
Server: header (controlled by ServerTokens), so I provide two suggested
patches to add this behaviour. There were patches provided in the
above-referenced threads, but the facility doesn't seem to exists in the
current code.
The first patch, below, only modifies server/core.c so that the output
of ap_psignature tracks the value of ServerTokens (up to the level
of ServerTokens Minimal, which is the current sole possibility). The
disadvantage of it is that the current behaviour cannot be replicated
-- if ServerTokens is ProductOnly, for example, the signature cannot be
the current "Apache/2.0.43". For me, this isn't a problem. For others,
it might be -- especially if, for example, the information is used in
mod_status to find the running version (where, for some reason, httpd -v
isn't practical).
For that reason, there is also an alternative patch, in a following
mail, which modifies both server/core.c and include/http_core.h
to add an option, ServerSigStyle, which defaults to "traditional"
(meaning "replicates the current behaviour") but can be set to "header"
(meaning "track the Server: header" as described above) wherever
ServerSignature can be set. The disadvantage of that patch is that it
modifies core_dir_config to add a new directive. Does that count as a
disadvantage?
Anyway, below is patch alternative 1: change current behaviour to only
allow what I want. Built against the released 2.0.43 code, my (limited)
testing doesn't show a significant throughput difference compared with
the current code. It applies to the current CVS version, 1.215, with a
28-line offset.
A documentation patch for "ServerTokens" should say something like "this
also affects the ServerSignature output, if that directive is not off";
while the "ServerSignature" docs should be modified to say something
like "the signature generated depends on the setting of ServerTokens"
Any comments are welcome,
f
--
Francis Daly deva@daoine.org
--- server-virgin/core.c Wed Oct 2 22:35:57 2002
+++ server/core.c Sun Oct 27 19:54:50 2002
@@ -2226,6 +2226,9 @@
{
char sport[20];
core_dir_config *conf;
+ const char *version_s;
+ char *version;
+ char *end;
conf = (core_dir_config *)ap_get_module_config(r->per_dir_config,
&core_module);
@@ -2235,9 +2238,15 @@
}
apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r));
+ version = (char *)version_s = ap_get_server_version();
+
+ if ((end = strchr(version_s + strlen(AP_SERVER_BASEPRODUCT), ' '))
+ != NULL) {
+ version = apr_pstrndup(r->pool, version_s, end - version_s);
+ }
if (conf->server_signature == srv_sig_withmail) {
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+ return apr_pstrcat(r->pool, prefix, "<address>", version,
" Server at <a href=\"mailto:",
r->server->server_admin, "\">",
ap_escape_html(r->pool, ap_get_server_name(r)),
@@ -2245,7 +2254,7 @@
"</address>\n", NULL);
}
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+ return apr_pstrcat(r->pool, prefix, "<address>", version,
" Server at ",
ap_escape_html(r->pool, ap_get_server_name(r)),
" Port ", sport,