httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Erenkrantz <>
Subject Re: [PATCH] ServerSignature privacy - option 1
Date Sat, 02 Nov 2002 19:29:29 GMT
--On Tuesday, October 29, 2002 2:04 PM +0000 Francis Daly 
<> wrote:

> The first patch, below, only modifies server/core.c so that the
> output of ap_psignature tracks the value of ServerTokens (up to the
> level of ServerTokens Minimal, which is the current sole
> possibility).  The disadvantage of it is that the current behaviour
> cannot be replicated -- if ServerTokens is ProductOnly, for
> example, the signature cannot be the current "Apache/2.0.43".  For
> me, this isn't a problem.  For others, it might be -- especially
> if, for example, the information is used in mod_status to find the
> running version (where, for some reason, httpd -v isn't practical).

Nah, I'm not terribly concerned about that edge case.

> Anyway, below is patch alternative 1: change current behaviour to
> only allow what I want.  Built against the released 2.0.43 code, my
> (limited) testing doesn't show a significant throughput difference
> compared with the current code.  It applies to the current CVS
> version, 1.215, with a 28-line offset.

I like this alternative much more than the other one.  I'm a believer 
that ServerTokens is that 'authoritative' version that should always 
be represented to the world.

However, wouldn't it be better to just have it return 
ap_server_version() rather than trying to be cute and cut off at the 
first space?  If ServerTokens is 'full' anyway, you're already 
exposing it, so I don't see a large concern.  It might be a bit more 
than we had before, but I don't think that's going to scare anyone 
away.  Perhaps it'll teach people to use 'minimal' more often.

And, if you could submit a patch for the documentation, that'd be 
appreciated.  =)  -- justin

View raw message