Author: markt Date: Mon May 23 19:55:33 2016 New Revision: 1745248 URL: http://svn.apache.org/viewvc?rev=1745248&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58750 The HTTP Server header is no longer set by default. A Server header may be configured by setting the server attribute on the Connector. A new Connector attribute, serverRemoveAppProvidedValues may be used to remove any Server header set by a web application.
Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java tomcat/trunk/java/org/apache/coyote/http11/Constants.java tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java tomcat/trunk/webapps/docs/changelog.xml tomcat/trunk/webapps/docs/config/http.xml Modified: tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1745248&r1=1745247&r2=1745248&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Mon May 23 19:55:33 2016 @@ -196,6 +196,13 @@ public abstract class AbstractHttp11Prot } + private boolean serverRemoveAppProvidedValues = false; + public boolean getServerRemoveAppProvidedValues() { return serverRemoveAppProvidedValues; } + public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) { + this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues; + } + + /** * Maximum size of trailing headers in bytes */ @@ -640,6 +647,7 @@ public abstract class AbstractHttp11Prot processor.setRestrictedUserAgents(getRestrictedUserAgents()); processor.setMaxSavePostSize(getMaxSavePostSize()); processor.setServer(getServer()); + processor.setServerRemoveAppProvidedValues(getServerRemoveAppProvidedValues()); return processor; } Modified: tomcat/trunk/java/org/apache/coyote/http11/Constants.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Constants.java?rev=1745248&r1=1745247&r2=1745248&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Constants.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Constants.java Mon May 23 19:55:33 2016 @@ -35,13 +35,6 @@ public final class Constants { /** - * Server string. - */ - public static final byte[] SERVER_BYTES = - ByteChunk.convertToBytes("Server: Apache-Coyote/1.1" + CRLF); - - - /** * CR. */ public static final byte CR = (byte) '\r'; Modified: tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1745248&r1=1745247&r2=1745248&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java (original) +++ tomcat/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon May 23 19:55:33 2016 @@ -196,9 +196,16 @@ public class Http11Processor extends Abs /** * Allow a customized the server header for the tin-foil hat folks. */ - protected String server = null; + private String server = null; + /* + * Should application provider values for the HTTP Server header be removed. + * Note that if {@link #server} is set, any application provided vale will + * be over-ridden. + */ + private boolean serverRemoveAppProvidedValues = false; + /** * Instance of the new protocol to use after the HTTP connection has been * upgraded. @@ -479,6 +486,11 @@ public class Http11Processor extends Abs } + public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) { + this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues; + } + + /** * Check if the resource could be compressed, if the client supports it. */ @@ -1581,12 +1593,13 @@ public class Http11Processor extends Abs outputBuffer.sendStatus(); // Add server header - if (server != null) { - // Always overrides anything the app might set + if (server == null) { + if (serverRemoveAppProvidedValues) { + headers.removeHeader("server"); + } + } else { + // server always overrides anything the app might set headers.setValue("Server").setString(server); - } else if (headers.getValue("Server") == null) { - // If app didn't set the header, use the default - outputBuffer.write(Constants.SERVER_BYTES); } int size = headers.size(); Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1745248&r1=1745247&r2=1745248&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Mon May 23 19:55:33 2016 @@ -87,6 +87,13 @@ <fix> Improve handling of HTTP/2 stream resets. (markt) </fix> + <add> + <bug>58750</bug>: The HTTP Server header is no longer set by default. A + Server header may be configured by setting the <code>server</code> + attribute on the <code>Connector</code>. A new <code>Connector</code> + attribute, <code>serverRemoveAppProvidedValues</code> may be used to + remove any Server header set by a web application. (markt) + </add> </changelog> </subsection> <subsection name="Jasper"> Modified: tomcat/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/http.xml?rev=1745248&r1=1745247&r2=1745248&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/config/http.xml (original) +++ tomcat/trunk/webapps/docs/config/http.xml Mon May 23 19:55:33 2016 @@ -533,12 +533,16 @@ <attribute name="server" required="false"> <p>Overrides the Server header for the http response. If set, the value - for this attribute overrides the Tomcat default and any Server header set - by a web application. If not set, any value specified by the application - is used. If the application does not specify a value then - <code>Apache-Coyote/1.1</code> is used. Unless you are paranoid, you won't - need this feature. - </p> + for this attribute overrides any Server header set by a web application. + If not set, any value specified by the application is used. If the + application does not specify a value then no Server header is set.</p> + </attribute> + + <attribute name="serverRemoveAppProvidedValues" required="false"> + <p>If <code>true</code>, any Server header Server header set by a web + application will be removed. Note that if <strong>server</strong> is set, + this attribute is effectively ignored. If not set, the default value of + <code>false</code> will be used.</p> </attribute> <attribute name="SSLEnabled" required="false"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org