httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alvaro Martinez Echevarria <alvaro-ht...@lander.es>
Subject Re: 1.3b8
Date Fri, 29 May 1998 01:39:16 GMT
On Thu, 28 May 1998, Marc Slemko wrote:

> > I'm sure that one possible response would be "they have access to
> > the code; they can change it. Thus, we allow it to be a "configurable"
> > option. :/
> 
> I don't buy that.  If you say that, then the following code:
> 
> int main () {
> 	exit(666);
> }
> 
> is unconditionally compliant.

Well, I'd rather say:

int main () {
  /* Uncomment the following 100000 lines to enable the Apache
   * server:
   * [...]
   */
   exit(666);
}

I'm not kidding. I really think this is a serious option. And
anyway, I am pretty sure that as soon as you program such a
configurable option (ServerVersion off, or whatever) and
pronounce the word "security", Apache will fall from 50% to 40%.
Think about MS and Netscape releasing press notes about the
"decreasing market share of Apache".

How about this patch (against 1.3b7):

##################################################################
diff -ru src.OLD/main/http_protocol.c src/main/http_protocol.c
--- src.OLD/main/http_protocol.c	Thu May 21 06:11:27 1998
+++ src/main/http_protocol.c	Fri May 29 03:23:28 1998
@@ -1076,6 +1076,9 @@
            protocol, " ", r->status_line, "\015\012", NULL);
 
     ap_send_header_field(r, "Date", ap_gm_timestr_822(r->pool, r->request_time));
+    /* The following line can be commented out to avoid revealing
+     * the server version information.
+     */
     ap_send_header_field(r, "Server", ap_get_server_version());
 
     ap_table_unset(r->headers_out, "Date");        /* Avoid bogosity */
diff -ru src.OLD/modules/proxy/proxy_connect.c src/modules/proxy/proxy_connect.c
--- src.OLD/modules/proxy/proxy_connect.c	Sat Apr 11 14:00:40 1998
+++ src/modules/proxy/proxy_connect.c	Fri May 29 03:24:12 1998
@@ -203,6 +203,9 @@
 	ap_snprintf(buffer, sizeof(buffer), "CONNECT %s HTTP/1.0" CRLF,
 		    r->uri);
 	write(sock, buffer, strlen(buffer));
+        /* The next two lines can be commented out to avoid revealing
+         * the server version information.
+         */
 	ap_snprintf(buffer, sizeof(buffer),
 		    "Proxy-agent: %s" CRLF CRLF, ap_get_server_version());
 	write(sock, buffer, strlen(buffer));
@@ -210,6 +213,9 @@
     else {
 	Explain0("Returning 200 OK Status");
 	ap_rvputs(r, "HTTP/1.0 200 Connection established" CRLF, NULL);
+        /* The following line can be commented out to avoid revealing
+         * the server version information.
+         */
 	ap_rvputs(r, "Proxy-agent: ", ap_get_server_version(), CRLF CRLF, NULL);
 	ap_bflush(r->connection->client);
     }
##################################################################

If you have the sources, this is clearly configurable, although
not in runtime. But the RFC probably doesn't mention "runtime"
;-)
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'


Mime
View raw message