Mailing List Archive

Hi tech@ Any further interest in testing this patch? FWIW it also fixes a bug in httpd's debugging output. Regards Lloyd On Saturday, February 15th, 2025, Kirill A. Korinsky wrote: > On Wed, 05 Feb 2025 21:38:56 +0100, > Lloyd wrote: > > > Stuart Henderson wrote: > > > > > "disablebanner" and especially "no disablebanner" is not nice syntax. > > > considering other config options, "[no] banner" would be idiomatic. > > > > Hi, I reworked this patch option parsing as Stu suggested: > > > Lightly tested and I'd like to confirm what it works as advertised. > > OK kirill@ > > > Index: config.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/config.c,v > > retrieving revision 1.65 > > diff -u -p -u -p -r1.65 config.c > > --- config.c 17 Jan 2024 08:22:40 -0000 1.65 > > +++ config.c 5 Feb 2025 20:22:29 -0000 > > @@ -591,6 +591,8 @@ config_getserver_config(struct httpd *en > > srv_conf->flags |= parent->flags & SRVFLAG_ERRDOCS; > > (void)strlcpy(srv_conf->errdocroot, parent->errdocroot, > > sizeof(srv_conf->errdocroot)); > > + > > + srv_conf->flags |= parent->flags & SRVFLAG_NO_BANNER; > > > > DPRINTF("%s: %s %d location \"%s\", " > > "parent \"%s[%u]\", flags: %s", > > Index: httpd.conf.5 > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v > > retrieving revision 1.125 > > diff -u -p -u -p -r1.125 httpd.conf.5 > > --- httpd.conf.5 3 Nov 2023 13:03:02 -0000 1.125 > > +++ httpd.conf.5 5 Feb 2025 20:22:29 -0000 > > @@ -166,6 +166,14 @@ If not specified, it defaults to > > within the > > .Xr chroot 2 > > directory. > > +.It Ic no banner > > +Do not send the > > +.Va Server > > +HTTP response header, and hide the server software name in error documents. > > +The > > +.Va SERVER_SOFTWARE > > +CGI environment variable is always set in accordance with > > +.%R RFC 3875 . > > .It Ic prefork Ar number > > Run the specified number of server processes. > > This increases the performance and prevents delays when connecting > > @@ -227,6 +235,20 @@ and must be readable by the www user. > > Use the > > .Ic no authenticate > > directive to disable authentication in a location. > > +.It Oo Ic no Oc Ic banner > > +When prefixed with the > > +.Ic no > > +keyword, > > +suppress the > > +.Va Server > > +HTTP response header, and hide the server software name in error documents for > > +the current > > +.Ic server. > > +If > > +.Ic no > > +is omitted, enable the banner for the current > > +.Ic server > > +if it was disabled globally. > > .It Ic block drop > > Drop the connection without sending an error page. > > .It Ic block Op Ic return Ar code Op Ar uri > > Index: httpd.h > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v > > retrieving revision 1.165 > > diff -u -p -u -p -r1.165 httpd.h > > --- httpd.h 8 Oct 2024 05:28:11 -0000 1.165 > > +++ httpd.h 5 Feb 2025 20:22:29 -0000 > > @@ -389,6 +389,7 @@ SPLAY_HEAD(client_tree, client); > > #define SRVFLAG_PATH_REWRITE 0x01000000 > > #define SRVFLAG_NO_PATH_REWRITE 0x02000000 > > #define SRVFLAG_GZIP_STATIC 0x04000000 > > +#define SRVFLAG_NO_BANNER 0x08000000 > > #define SRVFLAG_LOCATION_FOUND 0x40000000 > > #define SRVFLAG_LOCATION_NOT_FOUND 0x80000000 > > > > @@ -398,7 +399,7 @@ SPLAY_HEAD(client_tree, client); > > "\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG" \ > > "\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH" \ > > "\26SERVER_MATCH\27SERVER_HSTS\30DEFAULT_TYPE\31PATH\32NO_PATH" \ > > - "\37LOCATION_FOUND\40LOCATION_NOT_FOUND" > > + "\33GZIP_STATIC\34NO_BANNER\37LOCATION_FOUND\40LOCATION_NOT_FOUND" > > > > #define TCPFLAG_NODELAY 0x01 > > #define TCPFLAG_NNODELAY 0x02 > > Index: parse.y > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/parse.y,v > > retrieving revision 1.128 > > diff -u -p -u -p -r1.128 parse.y > > --- parse.y 27 Feb 2022 20:30:30 -0000 1.128 > > +++ parse.y 5 Feb 2025 20:22:29 -0000 > > @@ -141,9 +141,9 @@ typedef struct { > > %token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST > > %token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS REWRITE > > %token CA CLIENT CRL OPTIONAL PARAM FORWARDED FOUND NOT > > -%token ERRDOCS GZIPSTATIC > > +%token ERRDOCS GZIPSTATIC BANNER > > %token <v.string> STRING > > -%token <v.number> NUMBER > > +%token <v.number> NUMBER > > %type <v.port> port > > %type <v.string> fcgiport > > %type <v.number> opttls optmatch optfound > > @@ -227,6 +227,9 @@ main : PREFORK NUMBER { > > | LOGDIR STRING { > > conf->sc_logdir = $2; > > } > > + | NO BANNER { > > + conf->sc_flags |= SRVFLAG_NO_BANNER; > > + } > > | DEFAULT TYPE mediastring { > > memcpy(&conf->sc_default_type, &media, > > sizeof(struct media_type)); > > @@ -300,6 +303,9 @@ server : SERVER optmatch STRING { > > > > s->srv_conf.hsts_max_age = SERVER_HSTS_DEFAULT_AGE; > > > > + if (conf->sc_flags & SRVFLAG_NO_BANNER) > > + s->srv_conf.flags |= SRVFLAG_NO_BANNER; > > + > > (void)strlcpy(s->srv_conf.errdocroot, > > conf->sc_errdocroot, > > sizeof(s->srv_conf.errdocroot)); > > @@ -550,6 +556,7 @@ serveroptsl : LISTEN ON STRING opttls po > > | request > > | root > > | directory > > + | banner > > | logformat > > | fastcgi > > | authenticate > > @@ -687,6 +694,22 @@ serveroptsl : LISTEN ON STRING opttls po > > } > > ; > > > > +banner : BANNER { > > + if (parentsrv != NULL) { > > + yyerror("banner inside location"); > > + YYERROR; > > + } > > + srv->srv_conf.flags &= ~SRVFLAG_NO_BANNER; > > + } > > + | NO BANNER { > > + if (parentsrv != NULL) { > > + yyerror("no banner inside location"); > > + YYERROR; > > + } > > + srv->srv_conf.flags |= SRVFLAG_NO_BANNER; > > + } > > + ; > > + > > optfound : /* empty */ { $$ = 0; } > > | FOUND { $$ = 1; } > > | NOT FOUND { $$ = -1; } > > @@ -1428,6 +1451,7 @@ lookup(char *s) > > { "authenticate", AUTHENTICATE}, > > { "auto", AUTO }, > > { "backlog", BACKLOG }, > > + { "banner", BANNER }, > > { "block", BLOCK }, > > { "body", BODY }, > > { "buffer", BUFFER }, > > Index: server_fcgi.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v > > retrieving revision 1.97 > > diff -u -p -u -p -r1.97 server_fcgi.c > > --- server_fcgi.c 8 Nov 2023 19:19:10 -0000 1.97 > > +++ server_fcgi.c 5 Feb 2025 20:22:29 -0000 > > @@ -345,6 +345,7 @@ server_fcgi(struct httpd *env, struct cl > > goto fail; > > } > > > > + /* RFC 3875 requires this variable always be present */ > > if (fcgi_add_param(&param, "SERVER_SOFTWARE", HTTPD_SERVERNAME, > > clt) == -1) { > > errstr = "failed to encode param"; > > @@ -659,9 +660,12 @@ server_fcgi_header(struct client *clt, u > > kv_set(&resp->http_pathquery, "%s", error) == -1) > > return (-1); > > > > - /* Add headers / > > - if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL) > > - return (-1); > > + / Add server banner header to response unless suppressed */ > > + if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) { > > + if (kv_add(&resp->http_headers, "Server", > > + HTTPD_SERVERNAME) == NULL) > > + return (-1); > > + } > > > > if (clt->clt_fcgi.type == FCGI_END_REQUEST || > > EVBUFFER_LENGTH(clt->clt_srvevb) == 0) { > > Index: server_http.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v > > retrieving revision 1.155 > > diff -u -p -u -p -r1.155 server_http.c > > --- server_http.c 22 Dec 2024 13:51:42 -0000 1.155 > > +++ server_http.c 5 Feb 2025 20:22:29 -0000 > > @@ -890,6 +890,7 @@ server_abort_http(struct client *clt, un > > char *httpmsg, *body = NULL, *extraheader = NULL; > > char tmbuf[32], hbuf[128], *hstsheader = NULL; > > char *clenheader = NULL; > > + char *bannerheader = NULL, *bannertoken = NULL; > > char buf[IBUF_READ_SIZE]; > > char *escapedmsg = NULL; > > char cstr[5]; > > @@ -981,7 +982,11 @@ server_abort_http(struct client *clt, un > > > > body = replace_var(body, "$HTTP_ERROR", httperr); > > body = replace_var(body, "$RESPONSE_CODE", cstr); > > - body = replace_var(body, "$SERVER_SOFTWARE", HTTPD_SERVERNAME); > > + /* Check if server banner is suppressed */ > > + if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) > > + body = replace_var(body, "$SERVER_SOFTWARE", HTTPD_SERVERNAME); > > + else > > + body = replace_var(body, "$SERVER_SOFTWARE", ""); > > bodylen = strlen(body); > > goto send; > > > > @@ -994,6 +999,11 @@ server_abort_http(struct client *clt, un > > "body { background-color: #1E1F21; color: #EEEFF1; }\n" > > "a { color: #BAD7FF; }\n}"; > > > > + /* If banner is suppressed, don't write it to the error document / > > + if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) > > + asprintf(&bannertoken, "<hr>\n<address>%s</address>\n", > > + HTTPD_SERVERNAME); > > + > > / Generate simple HTML error document */ > > if ((bodylen = asprintf(&body, > > "<!DOCTYPE html>\n" > > @@ -1005,10 +1015,11 @@ server_abort_http(struct client *clt, un > > "</head>\n" > > "<body>\n" > > "<h1>%03d %s</h1>\n" > > - "<hr>\n<address>%s</address>\n" > > + "%s" > > "</body>\n" > > "</html>\n", > > - code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) { > > + code, httperr, style, code, httperr, > > + bannertoken == NULL ? "" : bannertoken)) == -1) { > > body = NULL; > > goto done; > > } > > @@ -1037,11 +1048,16 @@ server_abort_http(struct client *clt, un > > } > > } > > > > + /* If banner is suppressed, don't write a Server header / > > + if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) > > + asprintf(&bannerheader, "Server: %s\r\n", > > + HTTPD_SERVERNAME); > > + > > / Add basic HTTP headers */ > > if (asprintf(&httpmsg, > > "HTTP/1.0 %03d %s\r\n" > > "Date: %s\r\n" > > - "Server: %s\r\n" > > + "%s" > > "Connection: close\r\n" > > "Content-Type: text/html\r\n" > > "%s" > > @@ -1049,7 +1065,8 @@ server_abort_http(struct client *clt, un > > "%s" > > "\r\n" > > "%s", > > - code, httperr, tmbuf, HTTPD_SERVERNAME, > > + code, httperr, tmbuf, > > + bannerheader == NULL ? "" : bannerheader, > > clenheader == NULL ? "" : clenheader, > > extraheader == NULL ? "" : extraheader, > > hstsheader == NULL ? "" : hstsheader, > > @@ -1558,10 +1575,12 @@ server_response_http(struct client *clt, > > kv_set(&resp->http_pathquery, "%s", error) == -1) > > return (-1); > > > > - /* Add headers / > > - if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL) > > - return (-1); > > - > > + / Add server banner header to response unless suppressed / > > + if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) { > > + if (kv_add(&resp->http_headers, "Server", > > + HTTPD_SERVERNAME) == NULL) > > + return (-1); > > + } > > / Is it a persistent connection? */ > > if (clt->clt_persist) { > > if (kv_add(&resp->http_headers, > > > -- > wbr, Kirill

2025-02-15 21:14 Kirill A. Korinsky:
httpd(8): patch to disable/modify the server banner
- 2025-02-19 18:44 Lloyd:
  httpd(8): patch to disable/modify the server banner
- 2025-04-07 18:51 Lloyd:
  httpd(8): patch to disable/modify the server banner