Summary: | setHeader() does not replace the previous value for a "Server" | ||
---|---|---|---|
Product: | Tomcat 5 | Reporter: | olivier dupuy <opldupuy> |
Component: | Unknown | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | michael.radlingmaier |
Priority: | P2 | ||
Version: | 5.5.28 | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | All |
Description
olivier dupuy
2009-10-15 11:16:16 UTC
*** Bug 48005 has been marked as a duplicate of this bug. *** This has been fixed in trunk and proposed for 6.0.x and 5.5.x. Note that you can set the server attribute on the connector to override the default server name. I updated the HTTP connector docs to clarify how this works. The patch has been applied to 6.0.x and will be included in 6.0.23 onwards. This fix is imcomplete. There should be a distinction between setting a header to an empty string "" and setting it to null (which should clear the header entirely since there is no .removeHeader() on http response). Nevertheless, there is no way to completely avoid sending the "Server" header. Security audits fail just because of the header presence, under the assupmtion that the specific header, even if blank, is still revealing something about the server. The solution I have is this (Http11Processor for now): 1-add a field "protected boolean addServerHeader = true;" 2-Implement the setServer() this way, to distinguish the desire to avoid the header completely. If the server.xml doesn't have a server property, the setServer() shouldn't be called and the default is to add server header. public void setServer( String server ) { if (server==null) { this.server = null; this.addServerHeader = true; } else if (server.equals("")) { this.server = null; this.addServerHeader = false; } else { this.server = server; this.addServerHeader = true; } } 3-At the end of prepareResponse(), conditionally add the server header: if(addServerHeader) { if (server != null) { // Always overrides anything the app might set headers.setValue("Server").setString(server); } else if (headers.getValue("Server") == null) { // If app didn't set the header, use the default outputBuffer.write(Constants.SERVER_BYTES); } } This is the proper fix which at least is tomcat specific and doesn't break the servlet spec. I won't argue about the httpresponse.setHeader("Server", null) since it is not specified in the servelt spec (which means it should be legal to remove the header!). This has been fixed in 5..5.x and will be included in 5.5.29 onwards. |