You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Thomas Eibner <th...@stderr.net> on 2001/10/17 07:31:17 UTC
[PATCH] Re: Better privacy with SERVER_SIGNATURE
On Wed, Oct 17, 2001 at 07:04:10AM +0200, Thomas Eibner wrote:
> > Why not just fix it so that ServerTokens Prod[uctOnly] influences what
> > the enviroment variable SERVER_SIGNATURE contains and then leave it by
> > that?
>
> Or just use ServerSignature Off to get rid of it showing up at all?
Patch for making SERVER_SIGNATURE obey to what ServerTokens is set to
in httpd.conf follows.
--
Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
mod_pointer <http://stderr.net/mod_pointer>
Re: [PATCH] Re: Better privacy with SERVER_SIGNATURE
Posted by Thomas Eibner <th...@stderr.net>.
On Wed, Oct 17, 2001 at 09:24:18AM -0700, Dirk-Willem van Gulik wrote:
>
> On Wed, 17 Oct 2001, Thomas Eibner wrote:
> > Patch for making SERVER_SIGNATURE obey to what ServerTokens is set to
> > in httpd.conf follows.
>
> Instead of re-creating the server string it might be just as nice to
> simply use ap_get_server_version() instead. This is IMHO a bit more
> intuitive to the admin and closer to what I would expect apache to do as
> an admin.
Or write a function that does it, since I just copied and pasted it from
the spot that acutally uses the code. Like an ap_get_server_base_version
function or the like.
> The functional difference with your patch would be that any other
> extensions to the server string (such as mod_perl/1.1 etc..) would also
> show up.
Which I don't think was what was meant with the server signature. But
that is not my decission, I just wanted to prove that we didn't need all
the extra-fancy server-header setting stuff to solve the problem with
the server-signature.
--
Thomas Eibner <http://thomas.eibner.dk/> DnsZone <http://dnszone.org/>
mod_pointer <http://stderr.net/mod_pointer>
Re: [PATCH] Re: Better privacy with SERVER_SIGNATURE
Posted by Dirk-Willem van Gulik <di...@covalent.net>.
On Wed, 17 Oct 2001, Thomas Eibner wrote:
> On Wed, Oct 17, 2001 at 07:04:10AM +0200, Thomas Eibner wrote:
> > > Why not just fix it so that ServerTokens Prod[uctOnly] influences what
> > > the enviroment variable SERVER_SIGNATURE contains and then leave it by
> > > that?
> >
> > Or just use ServerSignature Off to get rid of it showing up at all?
>
> Patch for making SERVER_SIGNATURE obey to what ServerTokens is set to
> in httpd.conf follows.
Instead of re-creating the server string it might be just as nice to
simply use ap_get_server_version() instead. This is IMHO a bit more
intuitive to the admin and closer to what I would expect apache to do as
an admin.
The functional difference with your patch would be that any other
extensions to the server string (such as mod_perl/1.1 etc..) would also
show up.
Dw
Re: [PATCH] Re: Better privacy with SERVER_SIGNATURE
Posted by Dirk-Willem van Gulik <di...@covalent.net>.
Nice. I should fold this in I guess :-) i.e. a simple ServerSignature
equals the ap_get_server_string().
Dw.
On Wed, 17 Oct 2001, Thomas Eibner wrote:
> On Wed, Oct 17, 2001 at 07:04:10AM +0200, Thomas Eibner wrote:
> > > Why not just fix it so that ServerTokens Prod[uctOnly] influences what
> > > the enviroment variable SERVER_SIGNATURE contains and then leave it by
> > > that?
> >
> > Or just use ServerSignature Off to get rid of it showing up at all?
>
> Patch for making SERVER_SIGNATURE obey to what ServerTokens is set to
> in httpd.conf follows.
>
>