Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Implements/Ports; "Feature Request: Server Tokens" issue 438.

I took the liberty to port the proposed patch and extend its functionality beyond what is published to the outside. And including what is published to foreign
scripts and proxy hosts. The point is obviously be secure by default, the point of hiding it: make it a little bit harder to guess what is actually 'the default'.

http://code.google.com/p/cherokee/issues/detail?id=438
  • Loading branch information...
commit 1d6ff06b2925b412321a1a778dc78e5585dfb6ee 1 parent c8be77e
Stefan de Konink authored October 13, 2011
1  admin/consts.py
@@ -39,6 +39,7 @@
39 39
 
40 40
 PRODUCT_TOKENS = [
41 41
     ('',        N_('Default')),
  42
+    ('void',    N_('No server string')),
42 43
     ('product', N_('Product only')),
43 44
     ('minor',   N_('Product + Minor version')),
44 45
     ('minimal', N_('Product + Minimal version')),
8  cherokee/connection.c
@@ -835,9 +835,11 @@ build_response_header (cherokee_connection_t *conn,
835 835
 
836 836
 	/* Add the Server header
837 837
 	 */
838  
-	cherokee_buffer_add_str (buffer, "Server: ");
839  
-	cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
840  
-	cherokee_buffer_add_str (buffer, CRLF);
  838
+	if (&CONN_BIND(conn)->server_string.len > 0) {
  839
+		cherokee_buffer_add_str (buffer, "Server: ");
  840
+		cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
  841
+		cherokee_buffer_add_str (buffer, CRLF);
  842
+	}
841 843
 
842 844
 	/* Authentication
843 845
 	 */
8  cherokee/handler_cgi_base.c
@@ -272,9 +272,11 @@ cherokee_handler_cgi_base_build_basic_env (
272 272
 
273 273
 	/* Set the basic variables
274 274
 	 */
275  
-	set_env (cgi, "SERVER_SOFTWARE",
276  
-		 bind->server_string.buf,
277  
-		 bind->server_string.len);
  275
+	if (bind->server_string.len > 0) {
  276
+		set_env (cgi, "SERVER_SOFTWARE",
  277
+			 bind->server_string.buf,
  278
+			 bind->server_string.len);
  279
+	}
278 280
 
279 281
 	set_env (cgi, "SERVER_SIGNATURE",  "<address>Cherokee Web Server</address>", 38);
280 282
 	set_env (cgi, "GATEWAY_INTERFACE", "CGI/1.1", 7);
4  cherokee/handler_dirlist.c
@@ -1246,7 +1246,9 @@ render_header_footer_vbles (cherokee_handler_dirlist_t *dhdl,
1246 1246
 	/* Replacements
1247 1247
 	 */
1248 1248
 	VTMP_SUBSTITUTE_TOKEN ("%public_dir%",      dhdl->public_dir.buf);
1249  
-	VTMP_SUBSTITUTE_TOKEN ("%server_software%", bind->server_string_w_port.buf);
  1249
+	if (bind->server_string_w_port.len > 0) {
  1250
+		VTMP_SUBSTITUTE_TOKEN ("%server_software%", bind->server_string_w_port.buf);
  1251
+	}
1250 1252
 	VTMP_SUBSTITUTE_TOKEN ("%notice%",          dhdl->header.buf);
1251 1253
 	VTMP_SUBSTITUTE_TOKEN ("%icon_dir%",        props->icon_web_dir.buf);
1252 1254
 
6  cherokee/handler_error.c
@@ -195,8 +195,10 @@ build_hardcoded_response_page (cherokee_connection_t *conn, cherokee_buffer_t *b
195 195
 
196 196
 	/* Add page footer
197 197
 	 */
198  
-	cherokee_buffer_add_str (buffer, CRLF "<p><hr>" CRLF);
199  
-	cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string_w_port);
  198
+	if (CONN_BIND(conn)->server_string_w_port.len > 0) {
  199
+		cherokee_buffer_add_str (buffer, CRLF "<p><hr>" CRLF);
  200
+		cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string_w_port);
  201
+	}
200 202
 	cherokee_buffer_add_str (buffer, CRLF "</body>" CRLF "</html>" CRLF);
201 203
 
202 204
 	return ret_ok;
10  cherokee/handler_proxy.c
@@ -1378,9 +1378,11 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
1378 1378
 			added_server = true;
1379 1379
 
1380 1380
 			if (! props->out_preserve_server) {
1381  
-				cherokee_buffer_add_str (buf_out, "Server: ");
1382  
-				cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
1383  
-				cherokee_buffer_add_str (buf_out, CRLF);
  1381
+				if (CONN_BIND(conn)->server_string.len > 0) {
  1382
+					cherokee_buffer_add_str (buf_out, "Server: ");
  1383
+					cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
  1384
+					cherokee_buffer_add_str (buf_out, CRLF);
  1385
+				}
1384 1386
 				goto next;
1385 1387
 			}
1386 1388
 
@@ -1490,7 +1492,7 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
1490 1492
 
1491 1493
 	/* 'Server' header
1492 1494
 	 */
1493  
-	if (! added_server) {
  1495
+	if (! added_server && CONN_BIND(conn)->server_string.len > 0) {
1494 1496
 		cherokee_buffer_add_str (buf_out, "Server: ");
1495 1497
 		cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
1496 1498
 		cherokee_buffer_add_str (buf_out, CRLF);
4  cherokee/server.c
@@ -1479,7 +1479,9 @@ configure_server_property (cherokee_config_node_t *conf, void *data)
1479 1479
 		}
1480 1480
 
1481 1481
 	} else if (equal_buf_str (&conf->key, "server_tokens")) {
1482  
-		if (equal_buf_str (&conf->val, "Product")) {
  1482
+		if (equal_buf_str (&conf->val, "Void")) {
  1483
+			srv->server_token = cherokee_version_void;
  1484
+		} else if (equal_buf_str (&conf->val, "Product")) {
1483 1485
 			srv->server_token = cherokee_version_product;
1484 1486
 		} else if (equal_buf_str (&conf->val, "Minor")) {
1485 1487
 			srv->server_token = cherokee_version_minor;
9  cherokee/version.c
@@ -32,6 +32,9 @@ cherokee_version_add (cherokee_buffer_t *buf, cherokee_server_token_t level)
32 32
 	ret_t ret;
33 33
 
34 34
 	switch (level) {
  35
+	case cherokee_version_void:
  36
+		ret = ret_ok;
  37
+		break;
35 38
 	case cherokee_version_product:
36 39
 		ret = cherokee_buffer_add_str (buf, "Cherokee web server");
37 40
 		break;
@@ -62,6 +65,9 @@ cherokee_version_add_w_port (cherokee_buffer_t *buf, cherokee_server_token_t lev
62 65
 	ret_t ret;
63 66
 
64 67
 	switch (level) {
  68
+	case cherokee_version_void:
  69
+		ret = ret_ok;
  70
+		break;
65 71
 	case cherokee_version_product:
66 72
 		ret = cherokee_buffer_add_va (buf, "Cherokee web server, Port %d", port);
67 73
 		break;
@@ -92,6 +98,9 @@ cherokee_version_add_simple (cherokee_buffer_t *buf, cherokee_server_token_t lev
92 98
 	ret_t ret;
93 99
 
94 100
 	switch (level) {
  101
+	case cherokee_version_void:
  102
+		ret = ret_ok;
  103
+		break;	
95 104
 	case cherokee_version_product:
96 105
 		ret = cherokee_buffer_add_str (buf, "Cherokee");
97 106
 		break;
1  cherokee/version.h
@@ -37,6 +37,7 @@ CHEROKEE_BEGIN_DECLS
37 37
 
38 38
 
39 39
 typedef enum {
  40
+	cherokee_version_void,
40 41
 	cherokee_version_product,
41 42
 	cherokee_version_minor,
42 43
 	cherokee_version_minimal,

3 notes on commit 1d6ff06

Alvaro Lopez Ortega

I do not like it. There are a whole lot f ways to identify the server, the token string is just the most obvious one, but there are many, MANY others.
In my opinion, trying to hide the Server is pointless and a lousy way to have a false sense of security. -1.

Stefan de Konink
Owner

I think a few weeks on Slashdot I read an article that good security in addition to some obscurity gives the bests results. I am not pro-using it at all, but then again a user requested it, created a patch and I am just following up and incorporating it in my tree. Will it hurt Cherokee: probably not, is it an advise to run Cherokee like it: no.

http://news.slashdot.org/story/11/10/01/2034215/security-by-obscurity-a-new-theory

Matey
cept0 commented on 1d6ff06 July 17, 2012

Thank you!

Will this be included in future releases ? Like skinkie said, it is "Security by Obscurity" - but this is definitely no powerful argument to not implement this patch for major releases too ...

Please sign in to comment.
Something went wrong with that request. Please try again.