tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11 Http11Processor.java
Date Mon, 13 Sep 2004 18:57:38 GMT
Mark Thomas wrote:

>>I disalike patches which cause a 
>>performance hit for the sole interest of embeddors who don't 
>>contribute anything.
>>    
>>
>
>Agreed. But this wasn't the reasoning behind the patch.
>
>>>From the original bug report (16254) I believe the reporter had a security
>motive. To repeat some of my earlier comments on this change:
><quote>
>...section 14.38 of RFC 2616 does state
><spec-quote>
>Note: Revealing the specific software version of the server might
>      allow the server machine to become more vulnerable to attacks
>      against software that is known to contain security holes. Server
>      implementors are encouraged to make this field a configurable
>      option.
></spec-quote>
>
>The default doesn't include a specific version but I think allowing it to be
>overridden is more inline with the quote above.
>
>Further, I couldn't see anything in the servlet spec that limits the use of
>response.setHeader() to a subset of HTTP headers.
>  
>
There are a lot of protocol specific headers that you cannot set using that.

>The patch I applied was based on the handling of the date header immediately
>previously in the same class.
></quote>
>  
>
You are quite right that the date header special handling should probaly 
go as well ;)

>My position remains that the above reasons are sufficient justification for the
>patch to remain.
>  
>
My position remains the same as well.

Rémy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message