Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Implements/Ports; "Feature Request: Server Tokens" issue 438.

I took the liberty to port the proposed patch and extend its functionality beyond what is published to the outside. And including what is published to foreign
scripts and proxy hosts. The point is obviously be secure by default, the point of hiding it: make it a little bit harder to guess what is actually 'the default'.

http://code.google.com/p/cherokee/issues/detail?id=438
  • Loading branch information...
commit 1d6ff06b2925b412321a1a778dc78e5585dfb6ee 1 parent c8be77e
@skinkie authored
View
1  admin/consts.py
@@ -39,6 +39,7 @@
PRODUCT_TOKENS = [
('', N_('Default')),
+ ('void', N_('No server string')),
('product', N_('Product only')),
('minor', N_('Product + Minor version')),
('minimal', N_('Product + Minimal version')),
View
8 cherokee/connection.c
@@ -835,9 +835,11 @@ build_response_header (cherokee_connection_t *conn,
/* Add the Server header
*/
- cherokee_buffer_add_str (buffer, "Server: ");
- cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
- cherokee_buffer_add_str (buffer, CRLF);
+ if (&CONN_BIND(conn)->server_string.len > 0) {
+ cherokee_buffer_add_str (buffer, "Server: ");
+ cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string);
+ cherokee_buffer_add_str (buffer, CRLF);
+ }
/* Authentication
*/
View
8 cherokee/handler_cgi_base.c
@@ -272,9 +272,11 @@ cherokee_handler_cgi_base_build_basic_env (
/* Set the basic variables
*/
- set_env (cgi, "SERVER_SOFTWARE",
- bind->server_string.buf,
- bind->server_string.len);
+ if (bind->server_string.len > 0) {
+ set_env (cgi, "SERVER_SOFTWARE",
+ bind->server_string.buf,
+ bind->server_string.len);
+ }
set_env (cgi, "SERVER_SIGNATURE", "<address>Cherokee Web Server</address>", 38);
set_env (cgi, "GATEWAY_INTERFACE", "CGI/1.1", 7);
View
4 cherokee/handler_dirlist.c
@@ -1246,7 +1246,9 @@ render_header_footer_vbles (cherokee_handler_dirlist_t *dhdl,
/* Replacements
*/
VTMP_SUBSTITUTE_TOKEN ("%public_dir%", dhdl->public_dir.buf);
- VTMP_SUBSTITUTE_TOKEN ("%server_software%", bind->server_string_w_port.buf);
+ if (bind->server_string_w_port.len > 0) {
+ VTMP_SUBSTITUTE_TOKEN ("%server_software%", bind->server_string_w_port.buf);
+ }
VTMP_SUBSTITUTE_TOKEN ("%notice%", dhdl->header.buf);
VTMP_SUBSTITUTE_TOKEN ("%icon_dir%", props->icon_web_dir.buf);
View
6 cherokee/handler_error.c
@@ -195,8 +195,10 @@ build_hardcoded_response_page (cherokee_connection_t *conn, cherokee_buffer_t *b
/* Add page footer
*/
- cherokee_buffer_add_str (buffer, CRLF "<p><hr>" CRLF);
- cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string_w_port);
+ if (CONN_BIND(conn)->server_string_w_port.len > 0) {
+ cherokee_buffer_add_str (buffer, CRLF "<p><hr>" CRLF);
+ cherokee_buffer_add_buffer (buffer, &CONN_BIND(conn)->server_string_w_port);
+ }
cherokee_buffer_add_str (buffer, CRLF "</body>" CRLF "</html>" CRLF);
return ret_ok;
View
10 cherokee/handler_proxy.c
@@ -1378,9 +1378,11 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
added_server = true;
if (! props->out_preserve_server) {
- cherokee_buffer_add_str (buf_out, "Server: ");
- cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
- cherokee_buffer_add_str (buf_out, CRLF);
+ if (CONN_BIND(conn)->server_string.len > 0) {
+ cherokee_buffer_add_str (buf_out, "Server: ");
+ cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
+ cherokee_buffer_add_str (buf_out, CRLF);
+ }
goto next;
}
@@ -1490,7 +1492,7 @@ parse_server_header (cherokee_handler_proxy_t *hdl,
/* 'Server' header
*/
- if (! added_server) {
+ if (! added_server && CONN_BIND(conn)->server_string.len > 0) {
cherokee_buffer_add_str (buf_out, "Server: ");
cherokee_buffer_add_buffer (buf_out, &CONN_BIND(conn)->server_string);
cherokee_buffer_add_str (buf_out, CRLF);
View
4 cherokee/server.c
@@ -1479,7 +1479,9 @@ configure_server_property (cherokee_config_node_t *conf, void *data)
}
} else if (equal_buf_str (&conf->key, "server_tokens")) {
- if (equal_buf_str (&conf->val, "Product")) {
+ if (equal_buf_str (&conf->val, "Void")) {
+ srv->server_token = cherokee_version_void;
+ } else if (equal_buf_str (&conf->val, "Product")) {
srv->server_token = cherokee_version_product;
} else if (equal_buf_str (&conf->val, "Minor")) {
srv->server_token = cherokee_version_minor;
View
9 cherokee/version.c
@@ -32,6 +32,9 @@ cherokee_version_add (cherokee_buffer_t *buf, cherokee_server_token_t level)
ret_t ret;
switch (level) {
+ case cherokee_version_void:
+ ret = ret_ok;
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_str (buf, "Cherokee web server");
break;
@@ -62,6 +65,9 @@ cherokee_version_add_w_port (cherokee_buffer_t *buf, cherokee_server_token_t lev
ret_t ret;
switch (level) {
+ case cherokee_version_void:
+ ret = ret_ok;
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_va (buf, "Cherokee web server, Port %d", port);
break;
@@ -92,6 +98,9 @@ cherokee_version_add_simple (cherokee_buffer_t *buf, cherokee_server_token_t lev
ret_t ret;
switch (level) {
+ case cherokee_version_void:
+ ret = ret_ok;
+ break;
case cherokee_version_product:
ret = cherokee_buffer_add_str (buf, "Cherokee");
break;
View
1  cherokee/version.h
@@ -37,6 +37,7 @@ CHEROKEE_BEGIN_DECLS
typedef enum {
+ cherokee_version_void,
cherokee_version_product,
cherokee_version_minor,
cherokee_version_minimal,

3 comments on commit 1d6ff06

@alobbs

I do not like it. There are a whole lot f ways to identify the server, the token string is just the most obvious one, but there are many, MANY others.
In my opinion, trying to hide the Server is pointless and a lousy way to have a false sense of security. -1.

@skinkie
Owner

I think a few weeks on Slashdot I read an article that good security in addition to some obscurity gives the bests results. I am not pro-using it at all, but then again a user requested it, created a patch and I am just following up and incorporating it in my tree. Will it hurt Cherokee: probably not, is it an advise to run Cherokee like it: no.

http://news.slashdot.org/story/11/10/01/2034215/security-by-obscurity-a-new-theory

@askmatey

Thank you!

Will this be included in future releases ? Like skinkie said, it is "Security by Obscurity" - but this is definitely no powerful argument to not implement this patch for major releases too ...

Please sign in to comment.
Something went wrong with that request. Please try again.