https://issues.apache.org/bugzilla/show_bug.cgi?id=48006
olivier dupuy <olivier.du...@pwgsc.gc.ca> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #2 from olivier dupuy <olivier.du...@pwgsc.gc.ca> 2009-10-15
12:01:07 UTC ---
True that it's there in web.xml and even in the 5.5 version.
I agree that it is a security hole IN PRODUCTION but for a development and test
environment this is not a concern.
Moreover you do not have the precise Tomcat version and the precise JVM version
You have this header
Server Apache-Coyote/1.1
and this one
X-Powered-By JSP/2.1
This should be like IMHO to be really useful something such as
Server Apache-Coyote/1.1
X-Powered-By JSP/2.1 Tomcat/5.5.28 JRE/SUN/1.5.0_12-b04)
And if you consider this to be a security hole then the the server header is
also one and should be banned too for the same reasons.
Sorry to insist but the operation teams are not always what they should be and
this information saves time for some development teams like mine.
I am perfectly OK with a default value of "false" in web.xml to not show the
header for the reasons mentioned by Tim.
Thanks to consider my point of view
Olivier
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
