<html>
<body>
<div style="font-family: Verdana, Arial, Helvetica, Sans-Serif;">
<table bgcolor="#f9f3c9" width="100%" cellpadding="8" style="border: 1px #c9c399 solid;">
<tr>
<td>
This is an automatically generated e-mail. To reply, visit:
<a href="https://reviewboard.asterisk.org/r/4374/">https://reviewboard.asterisk.org/r/4374/</a>
</td>
</tr>
</table>
<br />
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<p style="margin-top: 0;">On January 28th, 2015, 6:21 a.m. CST, <b>Corey Farrell</b> wrote:</p>
<blockquote style="margin-left: 1em; border-left: 2px solid #d0d0d0; padding-left: 10px;">
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">If we assume that there are always unknown security vulnerabilities, I think it is worth completely removing "Server: Asterisk/<version>". Another option would be trimming to major version only - Server: Asterisk/13. Otherwise any system with default config that does not receive a security update will always inform hackers of that fact.
I'm not sure others will agree with this but feel that it needs to be considered.</pre>
</blockquote>
</blockquote>
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">I thought about this as well. As a rebuttal to changing this mid-stream, I'd note the following:
* Although it is somewhat unlikely, there is a chance that someone has built a system relying on this information. For example, if I had a pool of private Asterisk servers, I may be using cURL to check Asterisk's HTTP server to get the version that is deployed on each server. While this isn't highly likely, I've seen systems that do weirder things. I'd prefer to not break existing systems unless we feel there is no other option.
* We do the same thing in other areas. For example, the UserAgent header and the SDP session name in chan_sip include the version. Arguably, this exposes Asterisk more than the HTTP server - we are far more likely to have someone inspecting the SIP traffic than the HTTP server (which sits on a non-standard port).
As it is, I'd be fine if we changed this in trunk, but I'd prefer the 11/13 implementations to keep the existing behaviour.</pre>
<br />
<p>- Matt</p>
<br />
<p>On January 28th, 2015, 8:13 p.m. CST, Ashley Sanders wrote:</p>
<table bgcolor="#fefadf" width="100%" cellspacing="0" cellpadding="8" style="background-image: url('https://reviewboard.asterisk.org/static/rb/images/review_request_box_top_bg.ab6f3b1072c9.png'); background-position: left top; background-repeat: repeat-x; border: 1px black solid;">
<tr>
<td>
<div>Review request for Asterisk Developers.</div>
<div>By Ashley Sanders.</div>
<p style="color: grey;"><i>Updated Jan. 28, 2015, 8:13 p.m.</i></p>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Bugs: </b>
<a href="https://issues.asterisk.org/jira/browse/ASTERISK-24316">ASTERISK-24316</a>
</div>
<div style="margin-top: 1.5em;">
<b style="color: #575012; font-size: 10pt;">Repository: </b>
Asterisk
</div>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Description </h1>
<table width="100%" bgcolor="#ffffff" cellspacing="0" cellpadding="10" style="border: 1px solid #b8b5a0">
<tr>
<td>
<pre style="margin: 0; padding: 0; white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself.
By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/</pre>
</td>
</tr>
</table>
<h1 style="color: #575012; font-size: 10pt; margin-top: 1.5em;">Diffs</b> </h1>
<ul style="margin-left: 3em; padding-left: 0;">
<li>./branches/13/main/http.c <span style="color: grey">(431112)</span></li>
<li>./branches/13/include/asterisk/http.h <span style="color: grey">(431112)</span></li>
<li>./branches/13/configs/samples/http.conf.sample <span style="color: grey">(431112)</span></li>
</ul>
<p><a href="https://reviewboard.asterisk.org/r/4374/diff/" style="margin-left: 3em;">View Diff</a></p>
</td>
</tr>
</table>
</div>
</body>
</html>