You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2016/05/23 19:55:33 UTC
svn commit: r1745248 - in /tomcat/trunk:
java/org/apache/coyote/http11/AbstractHttp11Protocol.java
java/org/apache/coyote/http11/Constants.java
java/org/apache/coyote/http11/Http11Processor.java
webapps/docs/changelog.xml webapps/docs/config/http.xml
Author: markt
Date: Mon May 23 19:55:33 2016
New Revision: 1745248
URL: http://svn.apache.org/viewvc?rev=1745248&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
The HTTP Server header is no longer set by default. A Server header may be configured by setting the server attribute on the Connector. A new Connector attribute, serverRemoveAppProvidedValues may be used to remove any Server header set by a web application.
Modified:
tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
tomcat/trunk/java/org/apache/coyote/http11/Constants.java
tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/http.xml
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1745248&r1=1745247&r2=1745248&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Mon May 23 19:55:33 2016
@@ -196,6 +196,13 @@ public abstract class AbstractHttp11Prot
}
+ private boolean serverRemoveAppProvidedValues = false;
+ public boolean getServerRemoveAppProvidedValues() { return serverRemoveAppProvidedValues; }
+ public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) {
+ this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues;
+ }
+
+
/**
* Maximum size of trailing headers in bytes
*/
@@ -640,6 +647,7 @@ public abstract class AbstractHttp11Prot
processor.setRestrictedUserAgents(getRestrictedUserAgents());
processor.setMaxSavePostSize(getMaxSavePostSize());
processor.setServer(getServer());
+ processor.setServerRemoveAppProvidedValues(getServerRemoveAppProvidedValues());
return processor;
}
Modified: tomcat/trunk/java/org/apache/coyote/http11/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Constants.java?rev=1745248&r1=1745247&r2=1745248&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Constants.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Constants.java Mon May 23 19:55:33 2016
@@ -35,13 +35,6 @@ public final class Constants {
/**
- * Server string.
- */
- public static final byte[] SERVER_BYTES =
- ByteChunk.convertToBytes("Server: Apache-Coyote/1.1" + CRLF);
-
-
- /**
* CR.
*/
public static final byte CR = (byte) '\r';
Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1745248&r1=1745247&r2=1745248&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original)
+++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon May 23 19:55:33 2016
@@ -196,9 +196,16 @@ public class Http11Processor extends Abs
/**
* Allow a customized the server header for the tin-foil hat folks.
*/
- protected String server = null;
+ private String server = null;
+ /*
+ * Should application provider values for the HTTP Server header be removed.
+ * Note that if {@link #server} is set, any application provided vale will
+ * be over-ridden.
+ */
+ private boolean serverRemoveAppProvidedValues = false;
+
/**
* Instance of the new protocol to use after the HTTP connection has been
* upgraded.
@@ -479,6 +486,11 @@ public class Http11Processor extends Abs
}
+ public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) {
+ this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues;
+ }
+
+
/**
* Check if the resource could be compressed, if the client supports it.
*/
@@ -1581,12 +1593,13 @@ public class Http11Processor extends Abs
outputBuffer.sendStatus();
// Add server header
- if (server != null) {
- // Always overrides anything the app might set
+ if (server == null) {
+ if (serverRemoveAppProvidedValues) {
+ headers.removeHeader("server");
+ }
+ } else {
+ // server always overrides anything the app might set
headers.setValue("Server").setString(server);
- } else if (headers.getValue("Server") == null) {
- // If app didn't set the header, use the default
- outputBuffer.write(Constants.SERVER_BYTES);
}
int size = headers.size();
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1745248&r1=1745247&r2=1745248&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Mon May 23 19:55:33 2016
@@ -87,6 +87,13 @@
<fix>
Improve handling of HTTP/2 stream resets. (markt)
</fix>
+ <add>
+ <bug>58750</bug>: The HTTP Server header is no longer set by default. A
+ Server header may be configured by setting the <code>server</code>
+ attribute on the <code>Connector</code>. A new <code>Connector</code>
+ attribute, <code>serverRemoveAppProvidedValues</code> may be used to
+ remove any Server header set by a web application. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Jasper">
Modified: tomcat/trunk/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1745248&r1=1745247&r2=1745248&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/trunk/webapps/docs/config/http.xml Mon May 23 19:55:33 2016
@@ -533,12 +533,16 @@
<attribute name="server" required="false">
<p>Overrides the Server header for the http response. If set, the value
- for this attribute overrides the Tomcat default and any Server header set
- by a web application. If not set, any value specified by the application
- is used. If the application does not specify a value then
- <code>Apache-Coyote/1.1</code> is used. Unless you are paranoid, you won't
- need this feature.
- </p>
+ for this attribute overrides any Server header set by a web application.
+ If not set, any value specified by the application is used. If the
+ application does not specify a value then no Server header is set.</p>
+ </attribute>
+
+ <attribute name="serverRemoveAppProvidedValues" required="false">
+ <p>If <code>true</code>, any Server header Server header set by a web
+ application will be removed. Note that if <strong>server</strong> is set,
+ this attribute is effectively ignored. If not set, the default value of
+ <code>false</code> will be used.</p>
</attribute>
<attribute name="SSLEnabled" required="false">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org