On Sat, Nov 02, 2002 at 11:29:29AM -0800, Justin Erenkrantz wrote:
>
> >The disadvantage of it is that the current behaviour
> >cannot be replicated -- if ServerTokens is ProductOnly, for
> >example, the signature cannot be the current "Apache/2.0.43". For
> >me, this isn't a problem. For others, it might be --
>
> Nah, I'm not terribly concerned about that edge case.
That suits me fine.
> >Anyway, below is patch alternative 1: change current behaviour to
> >only allow what I want.
>
> I like this alternative much more than the other one. I'm a believer
> that ServerTokens is that 'authoritative' version that should always
> be represented to the world.
>
> However, wouldn't it be better to just have it return
> ap_server_version() rather than trying to be cute and cut off at the
> first space?
The reason I cut it off there was to (as near as possible) mimic
current behaviour. ap_server_version() can return quite a long string,
especially if there are lots of third party modules loaded. The
Server: header from some well-known Apache/1.3 sites exceeds 80
characters.
If it's considered appropriate, then it makes the patch much smaller,
and (presumably) the code that bit faster.
I don't believe there's a danger of any client-side data appearing
there, but even so it may be worth wrapping the output of
ap_server_version() with ap_escape_html() -- although if a webmaster
chooses to load mod_<blink>, perhaps they shouldn't be helped. If it
is wanted, the change is obvious.
> If ServerTokens is 'full' anyway, you're already
> exposing it, so I don't see a large concern. It might be a bit more
> than we had before, but I don't think that's going to scare anyone
> away. Perhaps it'll teach people to use 'minimal' more often.
That sounds reasonable to me, and no-one has yet contradicted it that
I have seen.
> And, if you could submit a patch for the documentation, that'd be
> appreciated. =)
I was hoping to be lazy and just provide the words, and let someone
who knows more about the current doc setup do the real work. Oh
well...
Two patches below: one is for httpd-2.0/server/core.c, which just adds
(unescaped) ap_get_server_version() to ap_psignature. Against the
current CVS version; not compiled, not tested, but it looks right to
me.
The other is for httpd-docs-2.0/manual/mod/core.xml, which adds an
extra comment to the two directives. Also against the most recent CVS
version; hopefully I've got the style correct. Obviously, if the
actually-committed patch includes the "stop after Minimal" code, then
the words here are wrong.
All the best,
f
--
Francis Daly [EMAIL PROTECTED]
--- core.c.1.216 Tue Nov 5 13:22:10 2002
+++ core.c Tue Nov 5 13:24:12 2002
@@ -2265,7 +2265,8 @@
apr_snprintf(sport, sizeof sport, "%u", (unsigned) ap_get_server_port(r));
if (conf->server_signature == srv_sig_withmail) {
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+ return apr_pstrcat(r->pool, prefix, "<address>",
+ ap_get_server_version(),
" Server at <a href=\"mailto:";,
r->server->server_admin, "\">",
ap_escape_html(r->pool, ap_get_server_name(r)),
@@ -2273,7 +2274,7 @@
"</address>\n", NULL);
}
- return apr_pstrcat(r->pool, prefix, "<address>" AP_SERVER_BASEVERSION
+ return apr_pstrcat(r->pool, prefix, "<address>", ap_get_server_version(),
" Server at ",
ap_escape_html(r->pool, ap_get_server_name(r)),
" Port ", sport,
--- core.xml.1.40 Tue Nov 5 13:07:40 2002
+++ core.xml Tue Nov 5 13:10:45 2002
@@ -2509,6 +2509,8 @@
"mailto:"; reference to the <directive
module="core">ServerAdmin</directive> of the referenced
document.</p>
+ <p>After version 2.0.44, the details of the server version number
+ presented are controlled by the ServerTokens directive.
</usage>
<seealso><directive module="core">ServerTokens</directive></seealso>
</directivesynopsis>
@@ -2560,6 +2562,9 @@
<p>This setting applies to the entire server, and cannot be
enabled or disabled on a virtualhost-by-virtualhost basis.</p>
+
+ <p>After version 2.0.44, this directive also controls the
+ information presented by the ServerSignature directive.
</usage>
<seealso><directive module="core">ServerSignature</directive></seealso>
</directivesynopsis>
