From: Remy Maucherat [mailto:[EMAIL PROTECTED] > Mark Thomas wrote: > > >The reporter of the bug was trying to use a filter to > override the contents of > >the server header and set it to "no name". They didn't say > so, but I am guessing > >there was a security motive behind their actions. > > > > > Well, that's not very convincing.
It was only a guess at a reason, based on a short bug report. However section 14.38 of RFC 2616 does state <quote> Note: Revealing the specific software version of the server might allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Server implementors are encouraged to make this field a configurable option. </quote> The default doesn't include a specific version but I think allowing it to be overridden is more inline with the quote above. Further, I couldn't see anything in the servlet spec that limits the use of response.setHeader() to a subset of HTTP headers. The patch I applied was based on the handling of the date header immediately previously in the same class. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]