From: Remy Maucherat [mailto:[EMAIL PROTECTED]
> Mark Thomas wrote:
>
> >The reporter of the bug was trying to use a filter to
> override the contents of
> >the server header and set it to "no name". They didn't say
> so, but I am guessing
> >there was a security motive behind their actions.
> >
> >
> Well, that's not very convincing.
It was only a guess at a reason, based on a short bug report. However section
14.38 of RFC 2616 does state
<quote>
Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementors are encouraged to make this field a configurable
option.
</quote>
The default doesn't include a specific version but I think allowing it to be
overridden is more inline with the quote above.
Further, I couldn't see anything in the servlet spec that limits the use of
response.setHeader() to a subset of HTTP headers.
The patch I applied was based on the handling of the date header immediately
previously in the same class.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
