You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2023/02/08 19:15:00 UTC
[jira] [Commented] (WICKET-7004) Jetty config example contains security hazard
[ https://issues.apache.org/jira/browse/WICKET-7004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17686059#comment-17686059 ]
ASF subversion and git services commented on WICKET-7004:
---------------------------------------------------------
Commit cb95a2db4a586ff3b3e471cec66b6303092e8dee in wicket's branch refs/heads/remove-queuing from brbog
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=cb95a2db4a ]
Fix apache/wicket#WICKET-7004 (#538)
Co-authored-by: Bram Bogaert <bogaert.bram+git[at]gmail.com>
> Jetty config example contains security hazard
> ---------------------------------------------
>
> Key: WICKET-7004
> URL: https://issues.apache.org/jira/browse/WICKET-7004
> Project: Wicket
> Issue Type: Improvement
> Components: wicket-quickstart
> Affects Versions: 9.11.0
> Reporter: Bram Bogaert
> Priority: Minor
> Fix For: 10.0.0, 9.12.0
>
> Original Estimate: 0.5h
> Remaining Estimate: 0.5h
>
> Inside {{/wicket-archetype-quickstart/src/main/resources/archetype-resources/src/test/jetty/jetty.xml}} following setting can be found:
> {code:xml}
> <Set name="sendServerVersion">true</Set>
> {code}
> This results in each http response having a header like:
> {{Server : Jetty(9.4.46.v20220331)}}
> While none of this is a problem in itself (it is a test resource), it shouldn't be useful for tests and can be an example that could result in a security hazard. If one would copy this configuration for a Jetty production server, too much information would become readily accessible for people with bad intentions (reveals the server software + version number).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)