[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

rmudgett reviewboard at asterisk.org
Wed Jan 28 10:58:49 CST 2015



> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote:
> > ./branches/13/main/http.c, line 639
> > <https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line639>
> >
> >     What you had before was better:
> >     char *status_title = "Unauthorized";
> >     
> >     char status_title[16] always reserves 16 bytes and copies the string into the array then nuls any extra array characters.
> 
> Ashley Sanders wrote:
>     "Unauthorized" + a null terminating character = 13 characters, which is and 13 bytes, right?
> 
> Ashley Sanders wrote:
>     Earlier, I misread what you typed. I understand what you are saying - and yes, I agree with you that the previous way was better. Noted and fixed.

Yes you need a minimum 13 character array.
You could have declared it this way if you really need the array declaration:
char status_title[] = "Unauthorized";
The compiler will then size the array to fit the assigned string with nul terminator.

Using the pointer version the compiler just initialized a pointer.
Using the array version the compiler has to do a string copy into the array to initialize it.


> On Jan. 27, 2015, 7:48 p.m., rmudgett wrote:
> > ./branches/13/main/http.c, line 640
> > <https://reviewboard.asterisk.org/r/4374/diff/1-2/?file=71085#file71085line640>
> >
> >     This seems kind of small for the amount that could be put in here.  May want to switch to using an ast_str for this and use ast_str_set_va() instead of the snprintf() when filling the string.
> 
> Ashley Sanders wrote:
>     You are correct, this is a small amount. From the previous review, you advised to take the larger of the error/auth functions' header size and use that, which, admittedly, was different from this = 256. However, thinking about it, that amount even seems small and not very useful.
>     
>     What size seems reasonably large enough to be useful but small enough to be succinct such as not to create an exception on the other side?
>     
>     I found this answer from 2010: http://stackoverflow.com/a/3436155
>     and this from 2012: http://stackoverflow.com/a/686243
>

Use of ast_str variables created by ast_str_create() eliminates any worry about the string being too small.  The ast_str functions will add more room if needed when the ast_str is created with ast_str_create().


- rmudgett


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4374/#review14324
-----------------------------------------------------------


On Jan. 28, 2015, 10:57 a.m., Ashley Sanders wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4374/
> -----------------------------------------------------------
> 
> (Updated Jan. 28, 2015, 10:57 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-24316
>     https://issues.asterisk.org/jira/browse/ASTERISK-24316
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
> 
> This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself. 
> 
> By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
> 
> Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
> 
> ***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/
> 
> 
> Diffs
> -----
> 
>   ./branches/13/main/http.c 431112 
>   ./branches/13/include/asterisk/http.h 431112 
>   ./branches/13/configs/samples/http.conf.sample 431112 
> 
> Diff: https://reviewboard.asterisk.org/r/4374/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Ashley Sanders
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150128/9e52f41f/attachment.html>


More information about the asterisk-dev mailing list