httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: cvs commit: httpd-2.0/docs/error/include bottom.html
Date Thu, 20 Jun 2002 02:25:59 GMT
Aaron Bannert wrote:
> On Sat, Jun 15, 2002 at 07:01:25AM -0000, rbb@apache.org wrote:
>>  Comment out the SERVER_STRING variable from our default error documents.
> I'm sorry to have to revisit this, but I'm going to have to -1 this
> whole thing. I don't want to have to go and enable all of my error
> docs just because some admins believe it exposes them to risk,
> which of course is total bunk.
> 
> If an admin doesn't want to display their server version, they're going
> to have to turn them off themselves, or we're going to have to provide
> an easier way to do this. Hiding a variable deep in an included SSI file
> is not satisfactory.
> 
> I'm not interested in any default values that encourage security by
> obscurity.

Hmmm... Even though I agree with you, I'm not sure that is a very good 
technical justification for a veto.

In any case, I have a patch ready to commit that removes Ryan's changes, 
but comments-out the internationalized error docs in the default config. 
  I believe that is better than the existing setup for a variety of 
reasons, and it leaves the server string in the default setup (via the 
builtin error messages).  Would that resolve your veto?

Joshua.


Mime
View raw message