merge this fix from 2.1-dev:

  *) Don't respect the Server header field as set by modules and CGIs.
     As with 1.3, for proxy requests any such field is from the origin
     server; otherwise it will have our server info as controlled by
     the ServerTokens directive.  [Jeff Trawick]

Reviewed by:	nd, jerenkrantz

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@100479 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 761606330688b8d1990f0278331d797f0e56d1ee..16c8ea9d728ba07404fc546b4006f1e68c04bc1d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,10 @@
+Changes with Apache 2.0.48
+
+  *) Don't respect the Server header field as set by modules and CGIs.
+     As with 1.3, for proxy requests any such field is from the origin 
+     server; otherwise it will have our server info as controlled by
+     the ServerTokens directive.  [Jeff Trawick]
+
 Changes with Apache 2.0.47
 
   *) Prevent the server from crashing when entering infinite loops. The

diff --git a/STATUS b/STATUS
index 0f5cc5f2cbb28f785ced0e0196507a5255677ccb..6adb1bc70f715e997b804e0357e0b165eae142de 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,5 +1,5 @@
 APACHE 2.0 STATUS:                                              -*-text-*-
-Last modified at [$Date: 2003/07/05 01:28:11 $]
+Last modified at [$Date: 2003/07/07 19:11:34 $]
 
 Release:
 
@@ -197,21 +197,6 @@ PATCHES TO PORT FROM 2.1
         build/.cvsignore 1.4
         +1: trawick, jerenkrantz
 
-    * Ignore the Server header field as set by modules and CGIs.
-        modules/http/http_protocol.c 1.470
-        jerenkrantz: When it is a proxy response that doesn't have server
-                     string set, we shouldn't place one there.  Correct?
-        trawick:     rfc2616/14.38: "The Server response-header field contains
-                     information about the software used by the origin server 
-                     to handle the request." ... "If the response is being 
-                     forwarded through a proxy, the proxy application MUST NOT
-                     modify the Server response-header."  
-                     I don't see any wiggle room for us to be adding one if
-                     the origin server didn't include it.
-                     BTW, with my patch Apache 2 and Apache 1.3 will behave
-                     identically.  (That's how I read the code, anyway :) )
-        +1: trawick, nd, jerenkrantz
-
     * mod_rewrite: Perform child initialization on the rewrite log
       lock.  This fixes a log corruption issue when flock-based 
       serialization is used (e.g., FreeBSD).

diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index 14faecc8f275ee40accd19d9157d1aabb9384047..8d120bb767b06f910a1defe4b56bbf3e6511ed0d 100644 (file)
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -1279,10 +1279,13 @@ static void basic_http_header(request_rec *r, apr_bucket_brigade *bb,
     h.bb = bb;
     form_header_field(&h, "Date", date);
 
-    /* keep a previously set server header (possibly from proxy), otherwise
+    /* keep the set-by-proxy server header, otherwise
      * generate a new server header */
-    if ((server = apr_table_get(r->headers_out, "Server")) != NULL) {
-        form_header_field(&h, "Server", server);
+    if (r->proxyreq != PROXYREQ_NONE) {
+        server = apr_table_get(r->headers_out, "Server");
+        if (server) {
+            form_header_field(&h, "Server", server);
+        }
     }
     else {
         form_header_field(&h, "Server", ap_get_server_version());