On 6/23/2010 10:49 AM, Jim Jagielski wrote: > > On Jun 21, 2010, at 1:07 PM, Jeff Trawick wrote: > >> On Mon, Jun 21, 2010 at 8:40 AM, Jim Jagielski <[email protected]> wrote: >>> There have been a few reports regarding how server-status "leaks" >>> info, mostly about our (the ASF's) open use of server-status and >>> how IP addresses are exposed. >>> >>> I'm thinking about a patch that adjusts server-status/mod_status >>> to have a "public vs. private" setting... Public would be to >>> have IP addresses exposed as public info; private would be to >>> not expose 'em (keep 'em private). >> >> use mod_sed or similar on apache.org to change the client IP address >> field to "?" > > True... so I'm guessing this means that the patch would > be unacceptable?
If it's an obfuscation (truncated hash of IP?) that lets the admin/users see that one individual has tying up 10 connections, I don't think it's a bad idea to patch (mod_sed isn't going to do that effectively). +/-0 on patching to disable the field entirely.
