Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7367

Remove Server details from response headers

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.16.0
    • Fix Version/s: 1.17.0
    • Component/s: None
    • Labels:

      Description

      Drill response headers include Server information which is considered to be a vulnerability.

      curl http://localhost:8047/cluster.json -v -k
      *   Trying ::1...
      * TCP_NODELAY set
      * Connected to localhost (::1) port 8047 (#0)
      > GET /cluster.json HTTP/1.1
      > Host: localhost:8047
      > User-Agent: curl/7.54.0
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Thu, 05 Sep 2019 12:47:53 GMT
      < Content-Type: application/json
      < Content-Length: 436
      < Server: Jetty(9.3.25.v20180904)
      ...
      

      https://pentest-tools.com/blog/essential-http-security-headers/

      After the fix headers should be without server information:

      curl http://localhost:8047/cluster.json -v -k
      *   Trying ::1...
      * TCP_NODELAY set
      * Connected to localhost (::1) port 8047 (#0)
      > GET /cluster.json HTTP/1.1
      > Host: localhost:8047
      > User-Agent: curl/7.54.0
      > Accept: */*
      > 
      < HTTP/1.1 200 OK
      < Date: Thu, 05 Sep 2019 13:55:25 GMT
      < Content-Type: application/json
      < Content-Length: 436
      ...
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                arina Arina Ielchiieva
                Reporter:
                arina Arina Ielchiieva
                Reviewer:
                Vova Vysotskyi
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: