Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-30 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 30, 2015, 10:52 a.m.) Status -- This change has been ma

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14383 --- Ship it! Ship It! - rmudgett On Jan. 29, 2015, 4:54 p.m., A

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 29, 2015, 4:54 p.m.) Review request for Asterisk Developers.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 29, 2015, 4:48 p.m.) Review request for Asterisk Developers.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Ashley Sanders
> On Jan. 29, 2015, 11:20 a.m., rmudgett wrote: > > ./branches/13/main/http.c, lines 80-81 > > > > > > Double this because SVN versions could get lengthy and server names can > > be larger as well. Okay. I will mak

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Ashley Sanders
> On Jan. 28, 2015, 6:21 a.m., Corey Farrell wrote: > > If we assume that there are always unknown security vulnerabilities, I > > think it is worth completely removing "Server: Asterisk/". > > Another option would be trimming to major version only - Server: > > Asterisk/13. Otherwise any sy

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14362 --- Ship it! ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Corey Farrell
> On Jan. 28, 2015, 7:21 a.m., Corey Farrell wrote: > > If we assume that there are always unknown security vulnerabilities, I > > think it is worth completely removing "Server: Asterisk/". > > Another option would be trimming to major version only - Server: > > Asterisk/13. Otherwise any sy

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-29 Thread Matt Jordan
> On Jan. 28, 2015, 6:21 a.m., Corey Farrell wrote: > > If we assume that there are always unknown security vulnerabilities, I > > think it is worth completely removing "Server: Asterisk/". > > Another option would be trimming to major version only - Server: > > Asterisk/13. Otherwise any sy

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
> On Jan. 28, 2015, 5:42 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 560 > > > > > > I'm surprised that the compiler didn't complain about http_header_data > > being const because it is passed to ast_

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 8:13 p.m.) Review request for Asterisk Developers.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14351 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 5:15 p.m.) Review request for Asterisk Developers.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
> On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 384 > > > > > > Does this need to be skipped if http_server_name is empty? > > Ashley Sanders wrote: > I think in the case of t

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 640 > > > > > > This seems kind of small for the amount that could be put in here. May > > want to switch to using an ast_str fo

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 639 > > > > > > What you had before was better: > > char *status_title = "Unauthorized"; > > > > char status_title[16

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread rmudgett
> On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 384 > > > > > > Does this need to be skipped if http_server_name is empty? > > Ashley Sanders wrote: > I think in the case of t

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread rmudgett
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 639 > > > > > > What you had before was better: > > char *status_title = "Unauthorized"; > > > > char status_title[16

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 639 > > > > > > What you had before was better: > > char *status_title = "Unauthorized"; > > > > char status_title[16

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 10:57 a.m.) Review request for Asterisk Developers

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-28 Thread Corey Farrell
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14339 --- If we assume that there are always unknown security vulnerabili

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 640 > > > > > > This seems kind of small for the amount that could be put in here. May > > want to switch to using an ast_str fo

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 639 > > > > > > What you had before was better: > > char *status_title = "Unauthorized"; > > > > char status_title[16

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
> On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 384 > > > > > > Does this need to be skipped if http_server_name is empty? I think in the case of the status and the CLI, we should

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14325 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14324 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 27, 2015, 6:16 p.m.) Review request for Asterisk Developers.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 2155 > > > > > > Setting a blank string will really mean a blank servername output value: > > Server: > > > > Is it i

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-27 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, lines 567-568 > > > > > > Why are the allocation sizes passed in? > > Ashley Sanders wrote: > To account for this handling the error

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread rmudgett
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, lines 567-568 > > > > > > Why are the allocation sizes passed in? > > Ashley Sanders wrote: > To account for this handling the error

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 2153 > > > > > > -1 is not needed for the sizeof parameter. The sizeof parameter > > includes the string nul terminator. I saw t

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 2155 > > > > > > Setting a blank string will really mean a blank servername output value: > > Server: > > > > Is it i

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, lines 608-615 > > > > > > Yuck on toothbrush formatting. I think this looks better, personally. It's easier to read and glean intent.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread rmudgett
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 2155 > > > > > > Setting a blank string will really mean a blank servername output value: > > Server: > > > > Is it i

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: > > ./branches/13/main/http.c, line 2155 > > > > > > Setting a blank string will really mean a blank servername output value: > > Server: > > > > Is it i

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread rmudgett
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14289 --- ./branches/13/configs/samples/http.conf.sample

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Andrew Nagy
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14288 --- Ship it! Ship It! - Andrew Nagy On Jan. 26, 2015, 12:03 p.m

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 26, 2015, 2:03 p.m.) Review request for Asterisk Developers.

[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

2015-01-26 Thread Ashley Sanders
--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- Review request for Asterisk Developers. Bugs: ASTERISK-24316 https://i