Author: violetagg Date: Thu May 8 07:30:47 2014 New Revision: 1593196 URL: http://svn.apache.org/r1593196 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56463 Merged revision 1593189 from tomcat/trunk: Property for disabling server information is added to the DefaultServlet.
Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/conf/web.xml tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Propchange: tomcat/tc7.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1593189 Modified: tomcat/tc7.0.x/trunk/conf/web.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/conf/web.xml?rev=1593196&r1=1593195&r2=1593196&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/conf/web.xml (original) +++ tomcat/tc7.0.x/trunk/conf/web.xml Thu May 8 07:30:47 2014 @@ -94,6 +94,10 @@ <!-- path that points to a location below either --> <!-- $CATALINA_BASE/conf (checked first) or --> <!-- $CATALINA_HOME/conf (checked second).[null] --> + <!-- --> + <!-- showServerInfo Should server information be presented in the --> + <!-- response sent to clients when directory --> + <!-- listings is enabled? [true] --> <servlet> <servlet-name>default</servlet-name> Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1593196&r1=1593195&r2=1593196&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Thu May 8 07:30:47 2014 @@ -225,6 +225,11 @@ public class DefaultServlet */ protected static final ArrayList<Range> FULL = new ArrayList<Range>(); + /** + * Flag to determine if server information is presented. + */ + protected boolean showServerInfo = true; + // ----------------------------------------------------- Static Initializer @@ -277,6 +282,7 @@ public class DefaultServlet protected static final int BUFFER_SIZE = 4096; + // --------------------------------------------------------- Public Methods @@ -352,6 +358,9 @@ public class DefaultServlet throw new UnavailableException("No resources"); } + if (getServletConfig().getInitParameter("showServerInfo") != null) { + showServerInfo = Boolean.parseBoolean(getServletConfig().getInitParameter("showServerInfo")); + } } @@ -1561,7 +1570,9 @@ public class DefaultServlet sb.append("<HR size=\"1\" noshade=\"noshade\">"); } - sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>"); + if (showServerInfo) { + sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>"); + } sb.append("</body>\r\n"); sb.append("</html>\r\n"); Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1593196&r1=1593195&r2=1593196&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Thu May 8 07:30:47 2014 @@ -140,6 +140,12 @@ <bug>56451</bug>: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt) </fix> + <add> + <bug>56463</bug>: Property for disabling server information is added to + the <code>DefaultServlet</code>. Server information is presented in the + response sent to the client when directory listings is enabled. + (violetagg) + </add> </changelog> </subsection> <subsection name="Coyote"> Modified: tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml?rev=1593196&r1=1593195&r2=1593196&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/default-servlet.xml Thu May 8 07:30:47 2014 @@ -156,6 +156,10 @@ directory listings are disabled and debu If true, the Accept-Ranges header will be set when appropriate for the response. [true] </property> + <property name="showServerInfo"> + Should server information be presented in the response sent to clients + when directory listing is enabled. [true] + </property> </properties> </section> Modified: tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml?rev=1593196&r1=1593195&r2=1593196&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/security-howto.xml Thu May 8 07:30:47 2014 @@ -440,6 +440,21 @@ server.info=Apache Tomcat/7.0.x thousands of files can consume significant CPU leading to a DOS attack. </p> + <p>The DefaultServlet is configured with <strong>showServerInfo</strong> + set to <code>true</code>. When the directory listings is enabled the Tomcat + version number is included in the response sent to clients. To avoid this, + you can explicitly configure a DefaultServlet and set its + <strong>showServerInfo</strong> attribute to false. + Alternatively, the version number can be changed by creating the file + CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with + content as follows:</p> + <source>server.info=Apache Tomcat/<version-major-minor/>.x</source> + <p>Modify the values as required. Note that this will also change the version + number reported in some of the management tools and may make it harder to + determine the real version installed. The CATALINA_HOME/bin/version.bat|sh + script will still report the version number. + </p> + <p><a href="config/filter.html">FailedRequestFilter</a> can be configured and used to reject requests that had errors during request parameter parsing. Without the filter the default behaviour is --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org