[asterisk-dev] [Code Review] 4374: Asterisk: For httpd server, need option to define server name for security purposes

Ashley Sanders reviewboard at asterisk.org
Tue Jan 27 16:59:23 CST 2015 


> On Jan. 26, 2015, 5:44 p.m., rmudgett wrote:
> > ./branches/13/main/http.c, line 2155
> > <https://reviewboard.asterisk.org/r/4374/diff/1/?file=71085#file71085line2155>
> >
> >     Setting a blank string will really mean a blank servername output value:
> >     Server: 
> >     
> >     Is it intended for this to reset to the default "Asterisk/<version>"?
> >     
> >     An alternate method is to check the set value at the end of the function for an empty string and set the global value to "Asterisk/<version>".
> 
> Ashley Sanders wrote:
>     This is by design. There are three possible outcomes for the value of servername:
>     1) The user configured an empty/null value for servername (e.g. servername="")
>     2) The user configured a non-empty value for servername (e.g. servername="JohnMcClane")
>     3) There was nothing configured for servername.
>     
>     The HTTP server will respond as follows, respectively:
>     1) Server: 
>     2) Server: JohnMcClane
>     3) Server: Asterisk/<version>
> 
> rmudgett wrote:
>     This definitely needs to be documented in the sample file as the behavior then.
> 
> Ashley Sanders wrote:
>     Noted. Just as an FYI, this was documented in the test description in the yaml file and also in the description for this review.

I revised the description in the http.conf.sample file and also, due to feedback on the Testsuite review, I modified the behavior as follows:

This test verifies that the HTTP server correctly reports the expected name through the [Server] header field in all HTTP responses. It uses three instances of Asterisk to test the three possible logic paths:
1) No configuration was provided
2) A non-empty/non-null value was provided through the new configuration property [servername]
3) An empty/null value was provided through the new configuration property [servername]

For clarity, consider this example for the possible outcomes as described above, respectively:
1) There was nothing configured for [servername].
2) The user configured a non-empty value for [servername] (e.g. servername="JohnMcClane")
3) The user configured an empty/null value for [servername] (e.g. servername="")

The HTTP server is expected to create the [Server] header field as follows, respectively:
1) Server: Asterisk/<version>
2) Server: JohnMcClane
3) 

In case #3, the [Server] header field will be omitted from HTTP response headers.


- Ashley


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/4374/#review14289
-----------------------------------------------------------


On Jan. 26, 2015, 2:03 p.m., Ashley Sanders wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/4374/
> -----------------------------------------------------------
> 
> (Updated Jan. 26, 2015, 2:03 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-24316
>     https://issues.asterisk.org/jira/browse/ASTERISK-24316
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Currently, all responses from the Asterisk HTTP server contain a [Server] header that identifies Asterisk and its version (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). The preferred behavior is to allow the user to configure an alternate name to use for the value returned in the [Server] header for HTTP responses (e.g. "Server:SomeSuperAwesomeServerName").
> 
> This patch provides a new configuration property, [servername], in http.conf, that gives users the ability to modify the value that Asterisk uses when identifying itself. 
> 
> By default, the new property is unused, which means that out-of-the-box, the HTTP server behaves just like it did prior to the patch. Requests to the HTTP server will generate responses with the old-style [Server] header (e.g. "Server:Asterisk/<version>", where <version> is the currently running version of Asterisk). To see the new behavior, you must add the configuration property, [servername] with some value (an empty value will work, also) to http.conf.
> 
> Whatever value the HTTP server is holding for the server name can now be seen through the httpstatus web page (http://<bindaddr>:<bindport>/<prefix>/httpstatus) (where [bindaddr], [bindport], and [prefix] are all values configured in http.conf) and the CLI command: http show status.
> 
> ***Note*** This is just the patch to the Asterisk source. You can find the review for the Testsuite at: https://reviewboard.asterisk.org/r/4377/
> 
> 
> Diffs
> -----
> 
>   ./branches/13/main/http.c 431112 
>   ./branches/13/configs/samples/http.conf.sample 431112 
> 
> Diff: https://reviewboard.asterisk.org/r/4374/diff/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Ashley Sanders
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20150127/a875126d/attachment.html>

More information about the asterisk-dev mailing list