Manuscript (Case [Issue]22886) Zinc - Zinc should allow custom server string

Previous Topic Next Topic
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Manuscript (Case [Issue]22886) Zinc - Zinc should allow custom server string

Pharo Issue Tracker
Manuscript Notification
Torsten Bergmann revised a previous entry on Case 22886: Zinc should allow custom server string:
Bug in Project:  Zinc: 1. Pharo Image  •  You are subscribed to this case
With Zinc one is able to implement a custom webserver either to serve static/dynamic
pages, a REST API or other.

On a production machine one wants to foster web security and want to give as less infos
to an outside "hacker" as possible. A specific info about the webserver technology and
version could already give an attacker a chance in testing specific vulnerabilities known
for the exposed technology.

Currently Zinc responds with a server string always telling that the server was done
in "Zinc HTTP Components 1.0 (Pharo/7.0)".

This comes from

ZnConstants defaultServerString

Unfortunately it is hardcoded and not able to influence without hard overwriting of
these methods.

We should improve on that by using a lazy initialized class variable and give a
developer the possibility to set a different server response string:

ZnConstants defaultServerString: "MySecureServerThatDoesNotExposeNameVersionAndTechnology"

Side note 1:
This is also helpful if you want to "mock" other server signatures
(act as if
the resources a Zinc response come from a Glassfish, Tomcat or other instead of Zinc Pharo )

Side note 2:
It is known that in most web production scenarios you have a webserver like Apache,
Nginx or other in front caring about headers and others. Nonetheless it is possible
to work without them and therefore it should be possible to set a different server string

To not get out of synch we should also include this into the regular Zinc framework
Priority Priority: 3 – Must Fix Status Status: Resolved (Fix Review Needed)
Assigned To Assigned to: Torsten Bergmann Milestone Milestone: Pharo7.0

Go to Case
No longer need updates? Unsubscribe from this case.

Don't want Manuscript notifications anymore? Update your preferences.


Pharo-bugtracker mailing list
[hidden email]