httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francis Daly <>
Subject Re: [PATCH] ServerSignature privacy - option 1
Date Tue, 05 Nov 2002 13:38:38 GMT
On Sat, Nov 02, 2002 at 11:29:29AM -0800, Justin Erenkrantz wrote:
> >The disadvantage of it is that the current behaviour
> >cannot be replicated -- if ServerTokens is ProductOnly, for
> >example, the signature cannot be the current "Apache/2.0.43".  For
> >me, this isn't a problem.  For others, it might be --
> Nah, I'm not terribly concerned about that edge case.

That suits me fine.

> >Anyway, below is patch alternative 1: change current behaviour to
> >only allow what I want.  
> I like this alternative much more than the other one.  I'm a believer 
> that ServerTokens is that 'authoritative' version that should always 
> be represented to the world.
> However, wouldn't it be better to just have it return 
> ap_server_version() rather than trying to be cute and cut off at the 
> first space?  

The reason I cut it off there was to (as near as possible) mimic
current behaviour.  ap_server_version() can return quite a long string,
especially if there are lots of third party modules loaded.  The
Server: header from some well-known Apache/1.3 sites exceeds 80

If it's considered appropriate, then it makes the patch much smaller,
and (presumably) the code that bit faster.

I don't believe there's a danger of any client-side data appearing
there, but even so it may be worth wrapping the output of
ap_server_version() with ap_escape_html() -- although if a webmaster
chooses to load mod_<blink>, perhaps they shouldn't be helped.  If it
is wanted, the change is obvious.

> If ServerTokens is 'full' anyway, you're already 
> exposing it, so I don't see a large concern.  It might be a bit more 
> than we had before, but I don't think that's going to scare anyone 
> away.  Perhaps it'll teach people to use 'minimal' more often.

That sounds reasonable to me, and no-one has yet contradicted it that
I have seen.

> And, if you could submit a patch for the documentation, that'd be 
> appreciated.  =)  

I was hoping to be lazy and just provide the words, and let someone
who knows more about the current doc setup do the real work.  Oh

Two patches below: one is for httpd-2.0/server/core.c, which just adds
(unescaped) ap_get_server_version() to ap_psignature.  Against the
current CVS version; not compiled, not tested, but it looks right to

The other is for httpd-docs-2.0/manual/mod/core.xml, which adds an
extra comment to the two directives.  Also against the most recent CVS
version; hopefully I've got the style correct.  Obviously, if the
actually-committed patch includes the "stop after Minimal" code, then
the words here are wrong.

All the best,

Francis Daly

--- core.c.1.216	Tue Nov  5 13:22:10 2002
+++ core.c	Tue Nov  5 13:24:12 2002
@@ -2265,7 +2265,8 @@
     apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r));
     if (conf->server_signature == srv_sig_withmail) {
-        return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+        return apr_pstrcat(r->pool, prefix, "<address>", 
+                           ap_get_server_version(),
                            " Server at <a href=\"mailto:",
                            r->server->server_admin, "\">",
                            ap_escape_html(r->pool, ap_get_server_name(r)),
@@ -2273,7 +2274,7 @@
                            "</address>\n", NULL);
-    return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+    return apr_pstrcat(r->pool, prefix, "<address>", ap_get_server_version(),
                        " Server at ",
                        ap_escape_html(r->pool, ap_get_server_name(r)),
                        " Port ", sport,

--- core.xml.1.40	Tue Nov  5 13:07:40 2002
+++ core.xml	Tue Nov  5 13:10:45 2002
@@ -2509,6 +2509,8 @@
     "mailto:" reference to the <directive
     module="core">ServerAdmin</directive> of the referenced
+    <p>After version 2.0.44, the details of the server version number
+    presented are controlled by the ServerTokens directive.
 <seealso><directive module="core">ServerTokens</directive></seealso>
@@ -2560,6 +2562,9 @@
     <p>This setting applies to the entire server, and cannot be
     enabled or disabled on a virtualhost-by-virtualhost basis.</p>
+    <p>After version 2.0.44, this directive also controls the
+    information presented by the ServerSignature directive.
 <seealso><directive module="core">ServerSignature</directive></seealso>

View raw message