svn commit: r1745249 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/coyote/http11/ webapps/docs/ webapps/docs/config/

Mon, 23 May 2016 12:56:50 -0700 

Author: markt
Date: Mon May 23 19:56:09 2016
New Revision: 1745249

URL: http://svn.apache.org/viewvc?rev=1745249&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
The HTTP Server header is no longer set by default. A Server header may be 
configured by setting the server attribute on the Connector. A new Connector 
attribute, serverRemoveAppProvidedValues may be used to remove any Server 
header set by a web application.

Modified:
    tomcat/tc8.5.x/trunk/   (props changed)
    
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
    tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java
    tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
    tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
    tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml

Propchange: tomcat/tc8.5.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Mon May 23 19:56:09 2016
@@ -1 +1 @@
-/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677
 
,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227
+/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677
 
,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1745249&r1=1745248&r2=1745249&view=diff
==============================================================================
--- 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 
(original)
+++ 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 
Mon May 23 19:56:09 2016
@@ -196,6 +196,13 @@ public abstract class AbstractHttp11Prot
     }
 
 
+    private boolean serverRemoveAppProvidedValues = false;
+    public boolean getServerRemoveAppProvidedValues() { return 
serverRemoveAppProvidedValues; }
+    public void setServerRemoveAppProvidedValues(boolean 
serverRemoveAppProvidedValues) {
+        this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues;
+    }
+
+
     /**
      * Maximum size of trailing headers in bytes
      */
@@ -640,6 +647,7 @@ public abstract class AbstractHttp11Prot
         processor.setRestrictedUserAgents(getRestrictedUserAgents());
         processor.setMaxSavePostSize(getMaxSavePostSize());
         processor.setServer(getServer());
+        
processor.setServerRemoveAppProvidedValues(getServerRemoveAppProvidedValues());
         return processor;
     }
 

Modified: tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java?rev=1745249&r1=1745248&r2=1745249&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java (original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java Mon May 
23 19:56:09 2016
@@ -35,13 +35,6 @@ public final class Constants {
 
 
     /**
-     * Server string.
-     */
-    public static final byte[] SERVER_BYTES =
-        ByteChunk.convertToBytes("Server: Apache-Coyote/1.1" + CRLF);
-
-
-    /**
      * CR.
      */
     public static final byte CR = (byte) '\r';

Modified: 
tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1745249&r1=1745248&r2=1745249&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java 
(original)
+++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon 
May 23 19:56:09 2016
@@ -196,9 +196,16 @@ public class Http11Processor extends Abs
     /**
      * Allow a customized the server header for the tin-foil hat folks.
      */
-    protected String server = null;
+    private String server = null;
 
 
+    /*
+     * Should application provider values for the HTTP Server header be 
removed.
+     * Note that if {@link #server} is set, any application provided vale will
+     * be over-ridden.
+     */
+    private boolean serverRemoveAppProvidedValues = false;
+
     /**
      * Instance of the new protocol to use after the HTTP connection has been
      * upgraded.
@@ -479,6 +486,11 @@ public class Http11Processor extends Abs
     }
 
 
+    public void setServerRemoveAppProvidedValues(boolean 
serverRemoveAppProvidedValues) {
+        this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues;
+    }
+
+
     /**
      * Check if the resource could be compressed, if the client supports it.
      */
@@ -1581,12 +1593,13 @@ public class Http11Processor extends Abs
         outputBuffer.sendStatus();
 
         // Add server header
-        if (server != null) {
-            // Always overrides anything the app might set
+        if (server == null) {
+            if (serverRemoveAppProvidedValues) {
+                headers.removeHeader("server");
+            }
+        } else {
+            // server always overrides anything the app might set
             headers.setValue("Server").setString(server);
-        } else if (headers.getValue("Server") == null) {
-            // If app didn't set the header, use the default
-            outputBuffer.write(Constants.SERVER_BYTES);
         }
 
         int size = headers.size();

Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1745249&r1=1745248&r2=1745249&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon May 23 19:56:09 2016
@@ -87,6 +87,13 @@
       <fix>
         Improve handling of HTTP/2 stream resets. (markt)
       </fix>
+      <add>
+        <bug>58750</bug>: The HTTP Server header is no longer set by default. A
+        Server header may be configured by setting the <code>server</code>
+        attribute on the <code>Connector</code>. A new <code>Connector</code>
+        attribute, <code>serverRemoveAppProvidedValues</code> may be used to
+        remove any Server header set by a web application. (markt) 
+      </add>
     </changelog>
   </subsection>
   <subsection name="Jasper">

Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml?rev=1745249&r1=1745248&r2=1745249&view=diff
==============================================================================
--- tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Mon May 23 19:56:09 2016
@@ -533,12 +533,16 @@
 
     <attribute name="server" required="false">
       <p>Overrides the Server header for the http response. If set, the value
-      for this attribute overrides the Tomcat default and any Server header set
-      by a web application. If not set, any value specified by the application
-      is used. If the application does not specify a value then
-      <code>Apache-Coyote/1.1</code> is used. Unless you are paranoid, you 
won't
-      need this feature.
-      </p>
+      for this attribute overrides any Server header set by a web application.
+      If not set, any value specified by the application is used. If the
+      application does not specify a value then no Server header is set.</p>
+    </attribute>
+
+    <attribute name="serverRemoveAppProvidedValues" required="false">
+      <p>If <code>true</code>, any Server header Server header set by a web
+      application will be removed. Note that if <strong>server</strong> is set,
+      this attribute is effectively ignored. If not set, the default value of
+      <code>false</code> will be used.</p>
     </attribute>
 
     <attribute name="SSLEnabled" required="false">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to