RE: Retrieve server.built, server.number

[Mcalexander, Jon J.]

True that Mark, but unfortunately Management typically has a different thought 
process on that. ☹

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

From: Mark Thomas 
Sent: Wednesday, April 10, 2024 3:13 PM
To: users@tomcat.apache.org
Subject: Re: Retrieve server.built, server.number

On 10/04/2024 21: 15, Christopher Schultz wrote: > All, > > On 4/10/24 4: 00 
AM, Mark Thomas wrote: >> On 09/04/2024 17: 17, prat 007 wrote: >>> Hi All, >>> 
>>> I would like to know is there a way to find






On 10/04/2024 21:15, Christopher Schultz wrote:

> All,

>

> On 4/10/24 4:00 AM, Mark Thomas wrote:

>> On 09/04/2024 17:17, prat 007 wrote:

>>> Hi All,

>>>

>>> I would like to know is there a way to find tomcat's server.built and

>>> server.number remotely using tool loke curl or from browser?

>>

>> In a default installation, no.

>>

>> You'd have to write a servlet that reported that information and then

>> request that page.

>

> ... and it might represent an information leakage vulnerability in your

> application. Be Careful.



Shall we start the flame war now on whether exposing the current version

  you are running represents a valid vulnerability or if hiding it is

just security by obscurity? Or do you want to save it for Bratislava?



:)



More seriously, your time is likely to be better spent (in my view)

keeping your Tomcat installations up to date with the latest releases

than it is ensuring that you hide the version number.



Mark



-

To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org

For additional commands, e-mail: 
users-h...@tomcat.apache.org

Re: Retrieve server.built, server.number

[Mark Thomas]

On 10/04/2024 21:15, Christopher Schultz wrote:

All,

On 4/10/24 4:00 AM, Mark Thomas wrote:

On 09/04/2024 17:17, prat 007 wrote:

Hi All,

I would like to know is there a way to find tomcat's server.built and
server.number remotely using tool loke curl or from browser?


In a default installation, no.

You'd have to write a servlet that reported that information and then 
request that page.


... and it might represent an information leakage vulnerability in your 
application. Be Careful.


Shall we start the flame war now on whether exposing the current version 
 you are running represents a valid vulnerability or if hiding it is 
just security by obscurity? Or do you want to save it for Bratislava?


:)

More seriously, your time is likely to be better spent (in my view) 
keeping your Tomcat installations up to date with the latest releases 
than it is ensuring that you hide the version number.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Retrieve server.built, server.number

[Christopher Schultz]

All,

On 4/10/24 4:00 AM, Mark Thomas wrote:

On 09/04/2024 17:17, prat 007 wrote:

Hi All,

I would like to know is there a way to find tomcat's server.built and
server.number remotely using tool loke curl or from browser?


In a default installation, no.

You'd have to write a servlet that reported that information and then 
request that page.


... and it might represent an information leakage vulnerability in your 
application. Be Careful.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Retrieve server.built, server.number

[Mark Thomas]

On 09/04/2024 17:17, prat 007 wrote:

Hi All,

I would like to know is there a way to find tomcat's server.built and
server.number remotely using tool loke curl or from browser?


In a default installation, no.

You'd have to write a servlet that reported that information and then 
request that page.


Mark




I am currently running tomcat v 9.0.87.

This information gets displayed when we run version.sh or in the starting
logs when tomcat starts up but how we can find it without logging into the
tomcat server.

Thanks,



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat & Http 103 Early Hint

[Mark Thomas]

Contributions always welconme.

The initial work will be on the changes to the Servlet API. The issue to 
track that is:

https://github.com/jakartaee/servlet/issues/542

Mark


On 09/04/2024 08:15, xulin y wrote:

Hi Mark,

Is there any chance I could help with delivering this new feature? At
least, I can help with writing some tests.

I think this new http feature can be beneficial a lot for web application
page load performance. Therefore, this is crucial for the whole Tomcat
community.

By Xulin Yang
Kind Regards

Mark Thomas  于2024年4月8日周一 19:24写道：


8 Apr 2024 10:26:23 xulin y :


Hi,
I would like to ask about whether Tomcat has support for http 103 early
hint response status?


Not at the moment.


I have checked the latest
doc that



https://tomcat.apache.org/tomcat-11.0-doc/servletapi/jakarta/servlet/http/HttpServletResponse.html

does not have 103 response status.

If not, do we have any plan to implement it?


It is expected to be part of Servlet.next / Tomcat 12. If possible, there
is a good chance it will be back-ported to earlier Tomcat versions.

Mark




By Xulin Yang
Kind Regards


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org