tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: cvs commit: jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11
Date Mon, 13 Sep 2004 18:57:38 GMT
Mark Thomas wrote:

>>I disalike patches which cause a 
>>performance hit for the sole interest of embeddors who don't 
>>contribute anything.
>Agreed. But this wasn't the reasoning behind the patch.
>>>From the original bug report (16254) I believe the reporter had a security
>motive. To repeat some of my earlier comments on this change:
>...section 14.38 of RFC 2616 does state
>Note: Revealing the specific software version of the server might
>      allow the server machine to become more vulnerable to attacks
>      against software that is known to contain security holes. Server
>      implementors are encouraged to make this field a configurable
>      option.
>The default doesn't include a specific version but I think allowing it to be
>overridden is more inline with the quote above.
>Further, I couldn't see anything in the servlet spec that limits the use of
>response.setHeader() to a subset of HTTP headers.
There are a lot of protocol specific headers that you cannot set using that.

>The patch I applied was based on the handling of the date header immediately
>previously in the same class.
You are quite right that the date header special handling should probaly 
go as well ;)

>My position remains that the above reasons are sufficient justification for the
>patch to remain.
My position remains the same as well.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message