Download raw body.
(return of) the httpd banner suppressing patch
Henry Ford wrote:
> I have a few comments on this
>
> This directive should be listed along with the other directives that
> are not allowed in location blocks in the httpd.conf(5) manpage.
Good catch, thanks for giving this a deeper look.
> Since HTTPD_SERVERNAME is a constant I don't think you really need
> to use asprintf(3) here (could just use string literal concatenation).
>
> If if makes sense to use asprintf(3) here then you should check
> if it fails, and at some point free bannertoken.
>
Looking back, when I first developed the patch the servername was a
user configurable string. I later ripped that out and reverted to a
simple on/off condition of the banner. That said, the use of asprintf
is consistent with all the adjacent code and is a little bit cleaner
visually, but you're correct there was a missing free() in there.
As for checking for failure on asprintf, OpenBSD should set the value
of the pointer to NULL on error anyway which is checked later; however,
other OSes don't make that guarantee. E.g. Linux claims the value of
the pointer becomes undefined. So I would agree the additional check
and redundant setting the pointer to NULL does become prudent.
Thanks for the feedback, a revised patch can be found below.
Regards
Lloyd
Index: config.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/config.c,v
retrieving revision 1.65
diff -u -p -u -p -r1.65 config.c
--- config.c 17 Jan 2024 08:22:40 -0000 1.65
+++ config.c 13 May 2025 20:44:43 -0000
@@ -591,6 +591,8 @@ config_getserver_config(struct httpd *en
srv_conf->flags |= parent->flags & SRVFLAG_ERRDOCS;
(void)strlcpy(srv_conf->errdocroot, parent->errdocroot,
sizeof(srv_conf->errdocroot));
+
+ srv_conf->flags |= parent->flags & SRVFLAG_NO_BANNER;
DPRINTF("%s: %s %d location \"%s\", "
"parent \"%s[%u]\", flags: %s",
Index: httpd.conf.5
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.conf.5,v
retrieving revision 1.125
diff -u -p -u -p -r1.125 httpd.conf.5
--- httpd.conf.5 3 Nov 2023 13:03:02 -0000 1.125
+++ httpd.conf.5 13 May 2025 20:44:43 -0000
@@ -166,6 +166,14 @@ If not specified, it defaults to
within the
.Xr chroot 2
directory.
+.It Ic no banner
+Do not send the
+.Va Server
+HTTP response header, and hide the server software name in error documents.
+The
+.Va SERVER_SOFTWARE
+CGI environment variable is always set in accordance with
+.%R RFC 3875 .
.It Ic prefork Ar number
Run the specified number of server processes.
This increases the performance and prevents delays when connecting
@@ -227,6 +235,20 @@ and must be readable by the www user.
Use the
.Ic no authenticate
directive to disable authentication in a location.
+.It Oo Ic no Oc Ic banner
+When prefixed with the
+.Ic no
+keyword,
+suppress the
+.Va Server
+HTTP response header, and hide the server software name in error documents for
+the current
+.Ic server.
+If
+.Ic no
+is omitted, enable the banner for the current
+.Ic server
+if it was disabled globally.
.It Ic block drop
Drop the connection without sending an error page.
.It Ic block Op Ic return Ar code Op Ar uri
@@ -473,6 +495,7 @@ and for generic ones later on.
A location section may include most of the server configuration rules
except
.Ic alias ,
+.Ic banner ,
.Ic connection ,
.Ic errdocs ,
.Ic hsts ,
Index: httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.165
diff -u -p -u -p -r1.165 httpd.h
--- httpd.h 8 Oct 2024 05:28:11 -0000 1.165
+++ httpd.h 13 May 2025 20:44:43 -0000
@@ -389,6 +389,7 @@ SPLAY_HEAD(client_tree, client);
#define SRVFLAG_PATH_REWRITE 0x01000000
#define SRVFLAG_NO_PATH_REWRITE 0x02000000
#define SRVFLAG_GZIP_STATIC 0x04000000
+#define SRVFLAG_NO_BANNER 0x08000000
#define SRVFLAG_LOCATION_FOUND 0x40000000
#define SRVFLAG_LOCATION_NOT_FOUND 0x80000000
@@ -398,7 +399,7 @@ SPLAY_HEAD(client_tree, client);
"\14SYSLOG\15NO_SYSLOG\16TLS\17ACCESS_LOG\20ERROR_LOG" \
"\21AUTH\22NO_AUTH\23BLOCK\24NO_BLOCK\25LOCATION_MATCH" \
"\26SERVER_MATCH\27SERVER_HSTS\30DEFAULT_TYPE\31PATH\32NO_PATH" \
- "\37LOCATION_FOUND\40LOCATION_NOT_FOUND"
+ "\33GZIP_STATIC\34NO_BANNER\37LOCATION_FOUND\40LOCATION_NOT_FOUND"
#define TCPFLAG_NODELAY 0x01
#define TCPFLAG_NNODELAY 0x02
Index: parse.y
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/parse.y,v
retrieving revision 1.128
diff -u -p -u -p -r1.128 parse.y
--- parse.y 27 Feb 2022 20:30:30 -0000 1.128
+++ parse.y 13 May 2025 20:44:43 -0000
@@ -141,9 +141,9 @@ typedef struct {
%token TIMEOUT TLS TYPE TYPES HSTS MAXAGE SUBDOMAINS DEFAULT PRELOAD REQUEST
%token ERROR INCLUDE AUTHENTICATE WITH BLOCK DROP RETURN PASS REWRITE
%token CA CLIENT CRL OPTIONAL PARAM FORWARDED FOUND NOT
-%token ERRDOCS GZIPSTATIC
+%token ERRDOCS GZIPSTATIC BANNER
%token <v.string> STRING
-%token <v.number> NUMBER
+%token <v.number> NUMBER
%type <v.port> port
%type <v.string> fcgiport
%type <v.number> opttls optmatch optfound
@@ -227,6 +227,9 @@ main : PREFORK NUMBER {
| LOGDIR STRING {
conf->sc_logdir = $2;
}
+ | NO BANNER {
+ conf->sc_flags |= SRVFLAG_NO_BANNER;
+ }
| DEFAULT TYPE mediastring {
memcpy(&conf->sc_default_type, &media,
sizeof(struct media_type));
@@ -300,6 +303,9 @@ server : SERVER optmatch STRING {
s->srv_conf.hsts_max_age = SERVER_HSTS_DEFAULT_AGE;
+ if (conf->sc_flags & SRVFLAG_NO_BANNER)
+ s->srv_conf.flags |= SRVFLAG_NO_BANNER;
+
(void)strlcpy(s->srv_conf.errdocroot,
conf->sc_errdocroot,
sizeof(s->srv_conf.errdocroot));
@@ -550,6 +556,7 @@ serveroptsl : LISTEN ON STRING opttls po
| request
| root
| directory
+ | banner
| logformat
| fastcgi
| authenticate
@@ -687,6 +694,22 @@ serveroptsl : LISTEN ON STRING opttls po
}
;
+banner : BANNER {
+ if (parentsrv != NULL) {
+ yyerror("banner inside location");
+ YYERROR;
+ }
+ srv->srv_conf.flags &= ~SRVFLAG_NO_BANNER;
+ }
+ | NO BANNER {
+ if (parentsrv != NULL) {
+ yyerror("no banner inside location");
+ YYERROR;
+ }
+ srv->srv_conf.flags |= SRVFLAG_NO_BANNER;
+ }
+ ;
+
optfound : /* empty */ { $$ = 0; }
| FOUND { $$ = 1; }
| NOT FOUND { $$ = -1; }
@@ -1428,6 +1451,7 @@ lookup(char *s)
{ "authenticate", AUTHENTICATE},
{ "auto", AUTO },
{ "backlog", BACKLOG },
+ { "banner", BANNER },
{ "block", BLOCK },
{ "body", BODY },
{ "buffer", BUFFER },
Index: server_fcgi.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_fcgi.c,v
retrieving revision 1.97
diff -u -p -u -p -r1.97 server_fcgi.c
--- server_fcgi.c 8 Nov 2023 19:19:10 -0000 1.97
+++ server_fcgi.c 13 May 2025 20:44:43 -0000
@@ -345,6 +345,7 @@ server_fcgi(struct httpd *env, struct cl
goto fail;
}
+ /* RFC 3875 requires this variable always be present */
if (fcgi_add_param(¶m, "SERVER_SOFTWARE", HTTPD_SERVERNAME,
clt) == -1) {
errstr = "failed to encode param";
@@ -659,9 +660,12 @@ server_fcgi_header(struct client *clt, u
kv_set(&resp->http_pathquery, "%s", error) == -1)
return (-1);
- /* Add headers */
- if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL)
- return (-1);
+ /* Add server banner header to response unless suppressed */
+ if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) {
+ if (kv_add(&resp->http_headers, "Server",
+ HTTPD_SERVERNAME) == NULL)
+ return (-1);
+ }
if (clt->clt_fcgi.type == FCGI_END_REQUEST ||
EVBUFFER_LENGTH(clt->clt_srvevb) == 0) {
Index: server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.155
diff -u -p -u -p -r1.155 server_http.c
--- server_http.c 22 Dec 2024 13:51:42 -0000 1.155
+++ server_http.c 13 May 2025 20:44:43 -0000
@@ -890,6 +890,7 @@ server_abort_http(struct client *clt, un
char *httpmsg, *body = NULL, *extraheader = NULL;
char tmbuf[32], hbuf[128], *hstsheader = NULL;
char *clenheader = NULL;
+ char *bannerheader = NULL, *bannertoken = NULL;
char buf[IBUF_READ_SIZE];
char *escapedmsg = NULL;
char cstr[5];
@@ -981,7 +982,11 @@ server_abort_http(struct client *clt, un
body = replace_var(body, "$HTTP_ERROR", httperr);
body = replace_var(body, "$RESPONSE_CODE", cstr);
- body = replace_var(body, "$SERVER_SOFTWARE", HTTPD_SERVERNAME);
+ /* Check if server banner is suppressed */
+ if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0)
+ body = replace_var(body, "$SERVER_SOFTWARE", HTTPD_SERVERNAME);
+ else
+ body = replace_var(body, "$SERVER_SOFTWARE", "");
bodylen = strlen(body);
goto send;
@@ -994,6 +999,14 @@ server_abort_http(struct client *clt, un
"body { background-color: #1E1F21; color: #EEEFF1; }\n"
"a { color: #BAD7FF; }\n}";
+ /* If banner is suppressed, don't write it to the error document */
+ if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0)
+ if (asprintf(&bannertoken, "<hr>\n<address>%s</address>\n",
+ HTTPD_SERVERNAME) == -1) {
+ bannertoken = NULL;
+ goto done;
+ }
+
/* Generate simple HTML error document */
if ((bodylen = asprintf(&body,
"<!DOCTYPE html>\n"
@@ -1005,10 +1018,11 @@ server_abort_http(struct client *clt, un
"</head>\n"
"<body>\n"
"<h1>%03d %s</h1>\n"
- "<hr>\n<address>%s</address>\n"
+ "%s"
"</body>\n"
"</html>\n",
- code, httperr, style, code, httperr, HTTPD_SERVERNAME)) == -1) {
+ code, httperr, style, code, httperr,
+ bannertoken == NULL ? "" : bannertoken)) == -1) {
body = NULL;
goto done;
}
@@ -1037,11 +1051,19 @@ server_abort_http(struct client *clt, un
}
}
+ /* If banner is suppressed, don't write a Server header */
+ if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0)
+ if (asprintf(&bannerheader, "Server: %s\r\n",
+ HTTPD_SERVERNAME) == -1) {
+ bannerheader = NULL;
+ goto done;
+ }
+
/* Add basic HTTP headers */
if (asprintf(&httpmsg,
"HTTP/1.0 %03d %s\r\n"
"Date: %s\r\n"
- "Server: %s\r\n"
+ "%s"
"Connection: close\r\n"
"Content-Type: text/html\r\n"
"%s"
@@ -1049,7 +1071,8 @@ server_abort_http(struct client *clt, un
"%s"
"\r\n"
"%s",
- code, httperr, tmbuf, HTTPD_SERVERNAME,
+ code, httperr, tmbuf,
+ bannerheader == NULL ? "" : bannerheader,
clenheader == NULL ? "" : clenheader,
extraheader == NULL ? "" : extraheader,
hstsheader == NULL ? "" : hstsheader,
@@ -1066,6 +1089,8 @@ server_abort_http(struct client *clt, un
free(extraheader);
free(hstsheader);
free(clenheader);
+ free(bannerheader);
+ free(bannertoken);
if (msg == NULL)
msg = "\"\"";
if (asprintf(&httpmsg, "%s (%03d %s)", msg, code, httperr) == -1) {
@@ -1558,10 +1583,12 @@ server_response_http(struct client *clt,
kv_set(&resp->http_pathquery, "%s", error) == -1)
return (-1);
- /* Add headers */
- if (kv_add(&resp->http_headers, "Server", HTTPD_SERVERNAME) == NULL)
- return (-1);
-
+ /* Add server banner header to response unless suppressed */
+ if ((srv_conf->flags & SRVFLAG_NO_BANNER) == 0) {
+ if (kv_add(&resp->http_headers, "Server",
+ HTTPD_SERVERNAME) == NULL)
+ return (-1);
+ }
/* Is it a persistent connection? */
if (clt->clt_persist) {
if (kv_add(&resp->http_headers,
(return of) the httpd banner suppressing patch