[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes
Ashley Sanders
reviewboard at asterisk.org
Mon Jan 26 20:49:43 CST 2015
> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote:
> > ./branches/13/main/http.c, line 2155
> > <https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155>
> >
> > Setting a blank string will really mean a blank servername output value:
> > Server:
> >
> > Is it intended for this to reset to the default "Asterisk/<version>"?
> >
> > An alternate method is to check the set value at the end of the function for an empty string and set the global value to "Asterisk/<version>".
>
> Ashley Sanders wrote:
> This is by design. There are three possible outcomes for the value of servername:
> 1) The user configured an empty/null value for servername (e.g. servername="")
> 2) The user configured a non-empty value for servername (e.g. servername="JohnMcClane")
> 3) There was nothing configured for servername.
>
> The HTTP server will respond as follows, respectively:
> 1) Server:
> 2) Server: JohnMcClane
> 3) Server: Asterisk/<version>
>
> rmudgett wrote:
> This definitely needs to be documented in the sample file as the behavior then.
Noted. Just as an FYI, this was documented in the test description in the yaml file and also in the description for this review.
- Ashley
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4374/#review14289
-----------------------------------------------------------
On Jan. 26, 2015, 2:03 p.m., Ashley Sanders wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4374/
> -----------------------------------------------------------
>
> (Updated Jan. 26, 2015, 2:03 p.m.)
>
>
> Review request for Asterisk Developers.
>
>
> Bugs: ASTERISK-24316
> https://issues.asterisk.org/jira/browse/ASTERISK-24316
>
>
> Repository: Asterisk
>
>
> Description
> -------
>
> Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
>
> This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself.
>
> By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
>
> Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
>
> ***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/
>
>
> Diffs
> -----
>
> ./branches/13/main/http.c 431112
> ./branches/13/configs/samples/http.conf.sample 431112
>
> Diff: https://reviewboard.asterisk.org/r/4374/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Ashley Sanders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150127/1cbee03b/attachment.html>
More information about the asterisk-dev
mailing list