[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes
Corey Farrell
reviewboard at asterisk.org
Wed Jan 28 06:21:28 CST 2015
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4374/#review14339
-----------------------------------------------------------
If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing "Server: Asterisk/<version>". Another option would be trimming to major version only - Server: Asterisk/13. Otherwise any system with default config that does not receive a security update will always inform hackers of that fact.
I'm not sure others will agree with this but feel that it needs to be considered.
- Corey Farrell
On Jan. 27, 2015, 7:16 p.m., Ashley Sanders wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4374/
> -----------------------------------------------------------
>
> (Updated Jan. 27, 2015, 7:16 p.m.)
>
>
> Review request for Asterisk Developers.
>
>
> Bugs: ASTERISK-24316
> https://issues.asterisk.org/jira/browse/ASTERISK-24316
>
>
> Repository: Asterisk
>
>
> Description
> -------
>
> Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
>
> This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself.
>
> By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
>
> Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
>
> ***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/
>
>
> Diffs
> -----
>
> ./branches/13/main/http.c 431112
> ./branches/13/include/asterisk/http.h 431112
> ./branches/13/configs/samples/http.conf.sample 431112
>
> Diff: https://reviewboard.asterisk.org/r/4374/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Ashley Sanders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150128/621c342d/attachment-0001.html>
More information about the asterisk-dev
mailing list