The first patch, below, only modifies server/core.c so that the output of ap_psignature tracks the value of ServerTokens (up to the level of ServerTokens Minimal, which is the current sole possibility). The disadvantage of it is that the current behaviour cannot be replicated -- if ServerTokens is ProductOnly, for example, the signature cannot be the current "Apache/2.0.43". For me, this isn't a problem. For others, it might be -- especially if, for example, the information is used in mod_status to find the running version (where, for some reason, httpd -v isn't practical).
Nah, I'm not terribly concerned about that edge case.
I like this alternative much more than the other one. I'm a believer that ServerTokens is that 'authoritative' version that should always be represented to the world.Anyway, below is patch alternative 1: change current behaviour to only allow what I want. Built against the released 2.0.43 code, my (limited) testing doesn't show a significant throughput difference compared with the current code. It applies to the current CVS version, 1.215, with a 28-line offset.
However, wouldn't it be better to just have it return ap_server_version() rather than trying to be cute and cut off at the first space? If ServerTokens is 'full' anyway, you're already exposing it, so I don't see a large concern. It might be a bit more than we had before, but I don't think that's going to scare anyone away. Perhaps it'll teach people to use 'minimal' more often.
And, if you could submit a patch for the documentation, that'd be appreciated. =) -- justin
