Author: markt Date: Mon May 23 19:56:09 2016 New Revision: 1745249 URL: http://svn.apache.org/viewvc?rev=1745249&view=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58750 The HTTP Server header is no longer set by default. A Server header may be configured by setting the server attribute on the Connector. A new Connector attribute, serverRemoveAppProvidedValues may be used to remove any Server header set by a web application.
Modified: tomcat/tc8.5.x/trunk/ (props changed) tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Propchange: tomcat/tc8.5.x/trunk/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Mon May 23 19:56:09 2016 @@ -1 +1 @@ -/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677 ,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227 +/tomcat/trunk:1734785,1734799,1734845,1734928,1735041,1735044,1735480,1735577,1735597,1735599-1735600,1735615,1736145,1736162,1736209,1736280,1736297,1736299,1736489,1736646,1736703,1736836,1736849,1737104-1737105,1737112,1737117,1737119-1737120,1737155,1737157,1737192,1737280,1737339,1737632,1737664,1737715,1737748,1737785,1737834,1737860,1737959,1738005,1738007,1738014-1738015,1738018,1738022,1738039,1738043,1738059-1738060,1738147,1738149,1738174-1738175,1738261,1738589,1738623-1738625,1738643,1738816,1738850,1738855,1738946-1738948,1738953-1738954,1738979,1738982,1739079-1739081,1739087,1739113,1739153,1739172,1739176,1739191,1739474,1739726,1739762,1739775,1739814,1739817-1739818,1739975,1740131,1740324,1740465,1740495,1740508-1740509,1740520,1740535,1740707,1740803,1740810,1740969,1740980,1740991,1740997,1741015,1741033,1741036,1741058,1741060,1741080,1741147,1741159,1741164,1741173,1741181,1741190,1741197,1741202,1741208,1741213,1741221,1741225,1741232,1741409,1741501,1741677 ,1741892,1741896,1741984,1742023,1742042,1742071,1742090,1742093,1742101,1742105,1742111,1742139,1742146,1742148,1742166,1742181,1742184,1742187,1742246,1742248-1742251,1742263-1742264,1742268,1742276,1742369,1742387,1742448,1742509-1742512,1742917,1742919,1742933,1742975-1742976,1742984,1742986,1743019,1743115,1743117,1743124-1743125,1743134,1743425,1743554,1743679,1743696-1743698,1743700-1743701,1744058,1744064-1744065,1744125,1744194,1744229,1744270,1744323,1744432,1744684,1744697,1744705,1744713,1744760,1744786,1745142-1745143,1745145,1745177,1745179-1745180,1745227,1745248 Modified: tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java?rev=1745249&r1=1745248&r2=1745249&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/AbstractHttp11Protocol.java Mon May 23 19:56:09 2016 @@ -196,6 +196,13 @@ public abstract class AbstractHttp11Prot } + private boolean serverRemoveAppProvidedValues = false; + public boolean getServerRemoveAppProvidedValues() { return serverRemoveAppProvidedValues; } + public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) { + this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues; + } + + /** * Maximum size of trailing headers in bytes */ @@ -640,6 +647,7 @@ public abstract class AbstractHttp11Prot processor.setRestrictedUserAgents(getRestrictedUserAgents()); processor.setMaxSavePostSize(getMaxSavePostSize()); processor.setServer(getServer()); + processor.setServerRemoveAppProvidedValues(getServerRemoveAppProvidedValues()); return processor; } Modified: tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java?rev=1745249&r1=1745248&r2=1745249&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Constants.java Mon May 23 19:56:09 2016 @@ -35,13 +35,6 @@ public final class Constants { /** - * Server string. - */ - public static final byte[] SERVER_BYTES = - ByteChunk.convertToBytes("Server: Apache-Coyote/1.1" + CRLF); - - - /** * CR. */ public static final byte CR = (byte) '\r'; Modified: tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java?rev=1745249&r1=1745248&r2=1745249&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java (original) +++ tomcat/tc8.5.x/trunk/java/org/apache/coyote/http11/Http11Processor.java Mon May 23 19:56:09 2016 @@ -196,9 +196,16 @@ public class Http11Processor extends Abs /** * Allow a customized the server header for the tin-foil hat folks. */ - protected String server = null; + private String server = null; + /* + * Should application provider values for the HTTP Server header be removed. + * Note that if {@link #server} is set, any application provided vale will + * be over-ridden. + */ + private boolean serverRemoveAppProvidedValues = false; + /** * Instance of the new protocol to use after the HTTP connection has been * upgraded. @@ -479,6 +486,11 @@ public class Http11Processor extends Abs } + public void setServerRemoveAppProvidedValues(boolean serverRemoveAppProvidedValues) { + this.serverRemoveAppProvidedValues = serverRemoveAppProvidedValues; + } + + /** * Check if the resource could be compressed, if the client supports it. */ @@ -1581,12 +1593,13 @@ public class Http11Processor extends Abs outputBuffer.sendStatus(); // Add server header - if (server != null) { - // Always overrides anything the app might set + if (server == null) { + if (serverRemoveAppProvidedValues) { + headers.removeHeader("server"); + } + } else { + // server always overrides anything the app might set headers.setValue("Server").setString(server); - } else if (headers.getValue("Server") == null) { - // If app didn't set the header, use the default - outputBuffer.write(Constants.SERVER_BYTES); } int size = headers.size(); Modified: tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml?rev=1745249&r1=1745248&r2=1745249&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/changelog.xml Mon May 23 19:56:09 2016 @@ -87,6 +87,13 @@ <fix> Improve handling of HTTP/2 stream resets. (markt) </fix> + <add> + <bug>58750</bug>: The HTTP Server header is no longer set by default. A + Server header may be configured by setting the <code>server</code> + attribute on the <code>Connector</code>. A new <code>Connector</code> + attribute, <code>serverRemoveAppProvidedValues</code> may be used to + remove any Server header set by a web application. (markt) + </add> </changelog> </subsection> <subsection name="Jasper"> Modified: tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml URL: http://svn.apache.org/viewvc/tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml?rev=1745249&r1=1745248&r2=1745249&view=diff ============================================================================== --- tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml (original) +++ tomcat/tc8.5.x/trunk/webapps/docs/config/http.xml Mon May 23 19:56:09 2016 @@ -533,12 +533,16 @@ <attribute name="server" required="false"> <p>Overrides the Server header for the http response. If set, the value - for this attribute overrides the Tomcat default and any Server header set - by a web application. If not set, any value specified by the application - is used. If the application does not specify a value then - <code>Apache-Coyote/1.1</code> is used. Unless you are paranoid, you won't - need this feature. - </p> + for this attribute overrides any Server header set by a web application. + If not set, any value specified by the application is used. If the + application does not specify a value then no Server header is set.</p> + </attribute> + + <attribute name="serverRemoveAppProvidedValues" required="false"> + <p>If <code>true</code>, any Server header Server header set by a web + application will be removed. Note that if <strong>server</strong> is set, + this attribute is effectively ignored. If not set, the default value of + <code>false</code> will be used.</p> </attribute> <attribute name="SSLEnabled" required="false"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org