> On Jan. 28, 2015, 7:21 a.m., Corey Farrell wrote: > > If we assume that there are always unknown security vulnerabilities, I > > think it is worth completely removing "Server: Asterisk/<version>". > > Another option would be trimming to major version only - Server: > > Asterisk/13. Otherwise any system with default config that does not > > receive a security update will always inform hackers of that fact. > > > > I'm not sure others will agree with this but feel that it needs to be > > considered. > > Matt Jordan wrote: > I thought about this as well. As a rebuttal to changing this mid-stream, > I'd note the following: > * Although it is somewhat unlikely, there is a chance that someone has > built a system relying on this information. For example, if I had a pool of > private Asterisk servers, I may be using cURL to check Asterisk's HTTP server > to get the version that is deployed on each server. While this isn't highly > likely, I've seen systems that do weirder things. I'd prefer to not break > existing systems unless we feel there is no other option. > * We do the same thing in other areas. For example, the UserAgent header > and the SDP session name in chan_sip include the version. Arguably, this > exposes Asterisk more than the HTTP server - we are far more likely to have > someone inspecting the SIP traffic than the HTTP server (which sits on a > non-standard port). > > As it is, I'd be fine if we changed this in trunk, but I'd prefer the > 11/13 implementations to keep the existing behaviour.
If we uncomment "servername=asterisk" in the sample config for trunk only I'd be happy. - Corey ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14339 ----------------------------------------------------------- On Jan. 28, 2015, 9:13 p.m., Ashley Sanders wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviewboard.asterisk.org/r/4374/ > ----------------------------------------------------------- > > (Updated Jan. 28, 2015, 9:13 p.m.) > > > Review request for Asterisk Developers. > > > Bugs: ASTERISK-24316 > https://issues.asterisk.org/jira/browse/ASTERISK-24316 > > > Repository: Asterisk > > > Description > ------- > > Currently, all responses from the Asterisk HTTP server contain a [Server] > header that identifies Asterisk and its version (e.g. > "Server:Asterisk/<version>", where <version> is the currently running version > of Asterisk). The preferred behavior is to allow the user to configure an > alternate name to use for the value returned in the [Server] header for HTTP > responses (e.g. "Server:SomeSuperAwesomeServerName"). > > This patch provides a new configuration property, [servername], in http.conf, > that gives users the ability to modify the value that Asterisk uses when > identifying itself. > > By default, the new property is unused, which means that out-of-the-box, the > HTTP server behaves just like it did prior to the patch. Requests to the HTTP > server will generate responses with the old-style [Server] header (e.g. > "Server:Asterisk/<version>", where <version> is the currently running version > of Asterisk). To see the new behavior, you must add the configuration > property, [servername] with some value (an empty value will work, also) to > http.conf. > > Whatever value the HTTP server is holding for the server name can now be seen > through the httpstatus web page > (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], > [bindport], and [prefix] are all values configured in http.conf) and the CLI > command: http show status. > > ***Note*** This is just the patch to the Asterisk source. You can find the > review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/ > > > Diffs > ----- > > ./branches/13/main/http.c 431112 > ./branches/13/include/asterisk/http.h 431112 > ./branches/13/configs/samples/http.conf.sample 431112 > > Diff: https://reviewboard.asterisk.org/r/4374/diff/ > > > Testing > ------- > > > Thanks, > > Ashley Sanders > >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
