Author: violetagg
Date: Thu May 8 07:10:54 2014
New Revision: 1593189
URL: http://svn.apache.org/r1593189
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56463
Property for disabling server information is added to the DefaultServlet.
Modified:
tomcat/trunk/conf/web.xml
tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/default-servlet.xml
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/conf/web.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=1593189&r1=1593188&r2=1593189&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Thu May 8 07:10:54 2014
@@ -94,6 +94,10 @@
<!-- path that points to a location below either -->
<!-- $CATALINA_BASE/conf (checked first) or -->
<!-- $CATALINA_HOME/conf (checked second).[null] -->
+ <!-- -->
+ <!-- showServerInfo Should server information be presented in the -->
+ <!-- response sent to clients when directory -->
+ <!-- listings is enabled? [true] -->
<servlet>
<servlet-name>default</servlet-name>
Modified: tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1593189&r1=1593188&r2=1593189&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Thu May
8 07:10:54 2014
@@ -253,6 +253,11 @@ public class DefaultServlet extends Http
*/
protected boolean useAcceptRanges = true;
+ /**
+ * Flag to determine if server information is presented.
+ */
+ protected boolean showServerInfo = true;
+
// --------------------------------------------------------- Public Methods
@@ -320,6 +325,10 @@ public class DefaultServlet extends Http
if (resources == null) {
throw new UnavailableException("No resources");
}
+
+ if (getServletConfig().getInitParameter("showServerInfo") != null) {
+ showServerInfo =
Boolean.parseBoolean(getServletConfig().getInitParameter("showServerInfo"));
+ }
}
@@ -1489,7 +1498,9 @@ public class DefaultServlet extends Http
sb.append("<HR size=\"1\" noshade=\"noshade\">");
}
- sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
+ if (showServerInfo) {
+
sb.append("<h3>").append(ServerInfo.getServerInfo()).append("</h3>");
+ }
sb.append("</body>\r\n");
sb.append("</html>\r\n");
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1593189&r1=1593188&r2=1593189&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu May 8 07:10:54 2014
@@ -146,6 +146,12 @@
problem is encountered calling a getter or setter on a component
attribute. The logging level is raised from debug to warning. (markt)
</fix>
+ <add>
+ <bug>56463</bug>: Property for disabling server information is added to
+ the <code>DefaultServlet</code>. Server information is presented in the
+ response sent to the client when directory listings is enabled.
+ (violetagg)
+ </add>
<fix>
<bug>56481</bug>: Work around case insensitivity issue in
<code>URLClassLoader</code> exposed by some recent refactoring. (markt)
Modified: tomcat/trunk/webapps/docs/default-servlet.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/default-servlet.xml?rev=1593189&r1=1593188&r2=1593189&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/default-servlet.xml (original)
+++ tomcat/trunk/webapps/docs/default-servlet.xml Thu May 8 07:10:54 2014
@@ -166,6 +166,10 @@ directory listings are disabled and debu
If true, the Accept-Ranges header will be set when appropriate for the
response. [true]
</property>
+ <property name="showServerInfo">
+ Should server information be presented in the response sent to clients
+ when directory listing is enabled. [true]
+ </property>
</properties>
</section>
Modified: tomcat/trunk/webapps/docs/security-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/security-howto.xml?rev=1593189&r1=1593188&r2=1593189&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/security-howto.xml (original)
+++ tomcat/trunk/webapps/docs/security-howto.xml Thu May 8 07:10:54 2014
@@ -437,6 +437,21 @@
thousands of files can consume significant CPU leading to a DOS attack.
</p>
+ <p>The DefaultServlet is configured with <strong>showServerInfo</strong>
+ set to <code>true</code>. When the directory listings is enabled the Tomcat
+ version number is included in the response sent to clients. To avoid this,
+ you can explicitly configure a DefaultServlet and set its
+ <strong>showServerInfo</strong> attribute to false.
+ Alternatively, the version number can be changed by creating the file
+ CATALINA_BASE/lib/org/apache/catalina/util/ServerInfo.properties with
+ content as follows:</p>
+ <source>server.info=Apache Tomcat/<version-major-minor/>.x</source>
+ <p>Modify the values as required. Note that this will also change the
version
+ number reported in some of the management tools and may make it harder to
+ determine the real version installed. The CATALINA_HOME/bin/version.bat|sh
+ script will still report the version number.
+ </p>
+
<p><a href="config/filter.html">FailedRequestFilter</a>
can be configured and used to reject requests that had errors during
request parameter parsing. Without the filter the default behaviour is
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
