You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/02/08 23:51:32 UTC

DO NOT REPLY [Bug 48004] setHeader() does not replace the previous value for a "Server"

https://issues.apache.org/bugzilla/show_bug.cgi?id=48004

--- Comment #4 from quartz <qu...@yahoo.com> 2010-02-08 14:51:27 UTC ---
This fix is imcomplete.

There should be a distinction between setting a header to an empty string ""
and setting it to null (which should clear the header entirely since there is
no .removeHeader() on http response).

Nevertheless, there is no way to completely avoid sending the "Server" header.
Security audits fail just because of the header presence, under the assupmtion
that the specific header, even if blank, is still revealing something about the
server.

The solution I have is this (Http11Processor for now):

1-add a field
"protected boolean addServerHeader = true;"


2-Implement the setServer() this way, to distinguish the desire to avoid the
header completely. If the server.xml doesn't have a server property, the
setServer() shouldn't be called and the default is to add server header.

    public void setServer( String server ) {
        if (server==null) {
            this.server = null;
            this.addServerHeader = true;
        } else if (server.equals("")) {
            this.server = null;
            this.addServerHeader = false;
        } else {
            this.server = server;
            this.addServerHeader = true;
        }
    }


3-At the end of prepareResponse(), conditionally add the server header:

        if(addServerHeader) {
            if (server != null) {
                // Always overrides anything the app might set
                headers.setValue("Server").setString(server);
            } else if (headers.getValue("Server") == null) {
                // If app didn't set the header, use the default
                outputBuffer.write(Constants.SERVER_BYTES);
            }
        }


This is the proper fix which at least is tomcat specific and doesn't break the
servlet spec. I won't argue about the httpresponse.setHeader("Server", null)
since it is not specified in the servelt spec (which means it should be legal
to remove the header!).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org