svn commit: r1593196 - in /tomcat/tc7.0.x/trunk: ./ conf/web.xml java/org/apache/catalina/servlets/DefaultServlet.java webapps/docs/changelog.xml webapps/docs/default-servlet.xml webapps/docs/security-howto.xml

Mon, 12 May 2014 14:06:07 -0700 

Author: violetagg
Date: Thu May  8 07:30:47 2014
New Revision: 1593196

URL: http://svn.apache.org/r1593196
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56463
Merged revision 1593189 from tomcat/trunk:
Property for disabling server information is added to the DefaultServlet.

Modified:
    tomcat/tc7.0.x/trunk/   (props changed)
    tomcat/tc7.0.x/trunk/conf/web.xml
    tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
    tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml
    tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml

Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
  Merged /tomcat/trunk:r1593189

Modified: tomcat/tc7.0.x/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/conf/web.xml?rev=1593196&r1=1593195&r2=1593196&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/conf/web.xml (original)
+++ tomcat/tc7.0.x/trunk/conf/web.xml Thu May  8 07:30:47 2014
@@ -94,6 +94,10 @@
   <!--                       path that points to a location below either    -->
   <!--                       $CATALINA_BASE/conf (checked first) or         -->
   <!--                       $CATALINA_HOME/conf (checked second).[null]    -->
+  <!--                                                                      -->
+  <!--   showServerInfo      Should server information be presented in the  -->
+  <!--                       response sent to clients when directory        -->
+  <!--                       listings is enabled? [true]                    -->
 
     <servlet>
         <servlet-name>default</servlet-name>

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1593196&r1=1593195&r2=1593196&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java 
Thu May  8 07:30:47 2014
@@ -225,6 +225,11 @@ public class DefaultServlet
      */
     protected static final ArrayList<Range> FULL = new ArrayList<Range>();
 
+    /**
+     * Flag to determine if server information is presented.
+     */
+    protected boolean showServerInfo = true;
+
 
     // ----------------------------------------------------- Static Initializer
 
@@ -277,6 +282,7 @@ public class DefaultServlet
     protected static final int BUFFER_SIZE = 4096;
 
 
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -352,6 +358,9 @@ public class DefaultServlet
             throw new UnavailableException("No resources");
         }
 
+        if (getServletConfig().getInitParameter("showServerInfo") != null) {
+            showServerInfo = 
Boolean.parseBoolean(getServletConfig().getInitParameter("showServerInfo"));
+        }
     }
 
 
@@ -1561,7 +1570,9 @@ public class DefaultServlet
             sb.append("<HR size=\"1\" noshade=\"noshade\">");
         }
 
-        sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
+        if (showServerInfo) {
+            
sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
+        }
         sb.append("</body>\r\n");
         sb.append("</html>\r\n");
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1593196&r1=1593195&r2=1593196&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu May  8 07:30:47 2014
@@ -140,6 +140,12 @@
         <bug>56451</bug>: Make resources accessed via a context alias 
accessible
         via JNDI in the same way standard resources are available. (markt)
       </fix>
+      <add>
+        <bug>56463</bug>: Property for disabling server information is added to
+        the <code>DefaultServlet</code>. Server information is presented in the
+        response sent to the client when directory listings is enabled.
+        (violetagg)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Modified: tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml?rev=1593196&r1=1593195&r2=1593196&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml Thu May  8 07:30:47 
2014
@@ -156,6 +156,10 @@ directory listings are disabled and debu
         If true, the Accept-Ranges header will be set when appropriate for the
         response. [true]
   </property>
+  <property name="showServerInfo">
+        Should server information be presented in the response sent to clients
+        when directory listing is enabled. [true]
+  </property>
 </properties>
 </section>
 

Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1593196&r1=1593195&r2=1593196&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Thu May  8 07:30:47 
2014
@@ -440,6 +440,21 @@ server.info=Apache Tomcat/7.0.x
     thousands of files can consume significant CPU leading to a DOS attack.
     </p>
 
+    <p>The DefaultServlet is configured with <strong>showServerInfo</strong>
+    set to <code>true</code>. When the directory listings is enabled the Tomcat
+    version number is included in the response sent to clients. To avoid this,
+    you can explicitly configure a DefaultServlet and set its
+    <strong>showServerInfo</strong> attribute to false.
+    Alternatively, the version number can be changed by creating the file
+    CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with
+    content as follows:</p>
+    <source>server.info=Apache Tomcat/<version-major-minor/>.x</source>
+    <p>Modify the values as required. Note that this will also change the 
version
+    number reported in some of the management tools and may make it harder to
+    determine the real version installed. The CATALINA_HOME/bin/version.bat|sh
+    script will still report the version number.
+    </p>
+
     <p><a href="config/filter.html">FailedRequestFilter</a>
     can be configured and used to reject requests that had errors during
     request parameter parsing. Without the filter the default behaviour is



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to