Hi there, About a year ago, there was a discussion about the fact that "ServerTokens" could be used to limit the detailed information sent about the server on every request, while "ServerSignature" only showed the full product version (or nothing at all).
(See, for example, <URL: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=100323367832594&w=2> as a starting point -- the threads "Better privacy with SERVER_SIGNATURE" and "[PATCH] for ServerSignatures / ServerTokens" are the relevant ones) [ ServerSignature is the option that sets how the bottom of a mod_autoindex-generated page looks. The information it generates (in the function ap_psignature in server/core.c) can also appear in the output mod_dav, mod_info, and mod_status, amongst other places ] I prefer to have ServerSignature reveal no more information that the Server: header (controlled by ServerTokens), so I provide two suggested patches to add this behaviour. There were patches provided in the above-referenced threads, but the facility doesn't seem to exists in the current code. The first patch, below, only modifies server/core.c so that the output of ap_psignature tracks the value of ServerTokens (up to the level of ServerTokens Minimal, which is the current sole possibility). The disadvantage of it is that the current behaviour cannot be replicated -- if ServerTokens is ProductOnly, for example, the signature cannot be the current "Apache/2.0.43". For me, this isn't a problem. For others, it might be -- especially if, for example, the information is used in mod_status to find the running version (where, for some reason, httpd -v isn't practical). For that reason, there is also an alternative patch, in a following mail, which modifies both server/core.c and include/http_core.h to add an option, ServerSigStyle, which defaults to "traditional" (meaning "replicates the current behaviour") but can be set to "header" (meaning "track the Server: header" as described above) wherever ServerSignature can be set. The disadvantage of that patch is that it modifies core_dir_config to add a new directive. Does that count as a disadvantage? Anyway, below is patch alternative 1: change current behaviour to only allow what I want. Built against the released 2.0.43 code, my (limited) testing doesn't show a significant throughput difference compared with the current code. It applies to the current CVS version, 1.215, with a 28-line offset. A documentation patch for "ServerTokens" should say something like "this also affects the ServerSignature output, if that directive is not off"; while the "ServerSignature" docs should be modified to say something like "the signature generated depends on the setting of ServerTokens" Any comments are welcome, f -- Francis Daly [EMAIL PROTECTED] --- server-virgin/core.c Wed Oct 2 22:35:57 2002 +++ server/core.c Sun Oct 27 19:54:50 2002 @@ -2226,6 +2226,9 @@ { char sport[20]; core_dir_config *conf; + const char *version_s; + char *version; + char *end; conf = (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); @@ -2235,9 +2238,15 @@ } apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r)); + version = (char *)version_s = ap_get_server_version(); + + if ((end = strchr(version_s + strlen(AP_SERVER_BASEPRODUCT), ' ')) + != NULL) { + version = apr_pstrndup(r->pool, version_s, end - version_s); + } if (conf->server_signature == srv_sig_withmail) { - return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION + return apr_pstrcat(r->pool, prefix, "<address>", version, " Server at <a href=\"mailto:";, r->server->server_admin, "\">", ap_escape_html(r->pool, ap_get_server_name(r)), @@ -2245,7 +2254,7 @@ "</address>\n", NULL); } - return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION + return apr_pstrcat(r->pool, prefix, "<address>", version, " Server at ", ap_escape_html(r->pool, ap_get_server_name(r)), " Port ", sport,
