Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 30, 2015, 10:52 a.m.) Status -- This change has been

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 28, 2015, 7:21 a.m., Corey Farrell wrote: If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing Server: Asterisk/version. Another option would be trimming to major version only - Server: Asterisk/13. Otherwise any

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 28, 2015, 6:21 a.m., Corey Farrell wrote: If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing Server: Asterisk/version. Another option would be trimming to major version only - Server: Asterisk/13. Otherwise any

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14362 --- Ship it! ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 29, 2015, 11:20 a.m., rmudgett wrote: ./branches/13/main/http.c, lines 80-81 https://reviewboard.asterisk.org/r/4374/diff/5/?file=71170#file71170line80 Double this because SVN versions could get lengthy and server names can be larger as well. Okay. I will make that

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 28, 2015, 6:21 a.m., Corey Farrell wrote: If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing Server: Asterisk/version. Another option would be trimming to major version only - Server: Asterisk/13. Otherwise any

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 29, 2015, 4:48 p.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14383 --- Ship it! Ship It! - rmudgett On Jan. 29, 2015, 4:54 p.m.,

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 29, 2015, 4:54 p.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14339 --- If we assume that there are always unknown security

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 10:57 a.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 640 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line640 This seems kind of small for the amount that could be put in here. May want to switch to using an ast_str for this and

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 639 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line639 What you had before was better: char *status_title = Unauthorized; char status_title[16] always reserves

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: ./branches/13/main/http.c, line 384 https://reviewboard.asterisk.org/r/4374/diff/2/?file=71124#file71124line384 Does this need to be skipped if http_server_name is empty? Ashley Sanders wrote: I think in the case of the status and

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14351 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 5:15 p.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 28, 2015, 8:13 p.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 28, 2015, 5:42 p.m., rmudgett wrote: ./branches/13/main/http.c, line 560 https://reviewboard.asterisk.org/r/4374/diff/4/?file=71161#file71161line560 I'm surprised that the compiler didn't complain about http_header_data being const because it is passed to ast_http_send()

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 639 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line639 What you had before was better: char *status_title = Unauthorized; char status_title[16] always reserves

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 639 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line639 What you had before was better: char *status_title = Unauthorized; char status_title[16] always reserves

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: ./branches/13/main/http.c, line 384 https://reviewboard.asterisk.org/r/4374/diff/2/?file=71124#file71124line384 Does this need to be skipped if http_server_name is empty? Ashley Sanders wrote: I think in the case of the status and

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14325 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14324 --- ./branches/13/main/http.c

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, line 2155 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155 Setting a blank string will really mean a blank servername output value: Server: Is it intended for this

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 27, 2015, 6:16 p.m.) Review request for Asterisk

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 640 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line640 This seems kind of small for the amount that could be put in here. May want to switch to using an ast_str for this and

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:51 p.m., rmudgett wrote: ./branches/13/main/http.c, line 384 https://reviewboard.asterisk.org/r/4374/diff/2/?file=71124#file71124line384 Does this need to be skipped if http_server_name is empty? I think in the case of the status and the CLI, we should

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 27, 2015, 7:48 p.m., rmudgett wrote: ./branches/13/main/http.c, line 639 https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line639 What you had before was better: char *status_title = Unauthorized; char status_title[16] always reserves

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- (Updated Jan. 26, 2015, 2:03 p.m.) Review request for Asterisk

[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/ --- Review request for Asterisk Developers. Bugs: ASTERISK-24316

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, line 2155 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155 Setting a blank string will really mean a blank servername output value: Server: Is it intended for this

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, line 2155 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155 Setting a blank string will really mean a blank servername output value: Server: Is it intended for this

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, line 2155 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155 Setting a blank string will really mean a blank servername output value: Server: Is it intended for this

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, lines 567-568 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line567 Why are the allocation sizes passed in? Ashley Sanders wrote: To account for this handling the error and auth

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, lines 608-615 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line608 Yuck on toothbrush formatting. I think this looks better, personally. It's easier to read and glean intent. On Jan.

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

On Jan. 26, 2015, 5:44 p.m., rmudgett wrote: ./branches/13/main/http.c, line 2153 https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2153 -1 is not needed for the sizeof parameter. The sizeof parameter includes the string nul terminator. I saw that

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14289 --- ./branches/13/configs/samples/http.conf.sample

Re: [asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

--- This is an automatically generated e-mail. To reply, visit: https://reviewboard.asterisk.org/r/4374/#review14288 --- Ship it! Ship It! - Andrew Nagy On Jan. 26, 2015, 12:03