Opened 9 years ago

Closed 7 years ago

#452 closed enhancement (no response)

http headers not filtered (server x-powered-by etc)

Reported by: dream Owned by: dream
Priority: minor Milestone: 0.9
Component: apps/i2ptunnel Version: 0.8.4
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

The i2ptunnel http server tunnel should have a whitelist of headers it lets through. Among other things, you have to custom patch Apache not to send a "Server: apache" header.

Subtickets

Change History (4)

comment:1 Changed 9 years ago by zzz

Component: unspecifiedapps/i2ptunnel
Milestone: 0.8.50.8.6
Priority: majorminor
Type: defectenhancement

"Server" is filtered since 0.8.3. In fact it's code related to that change that is causing the trac login problems (ticket #396 )

As discussed elsewhere (zzz.i2p, or on forum.i2p threads related to irongeek's talk iirc) it's hard to anonymize a server with filtering. Error pages, for example, often contain detailed version info.

I was initially against filtering 'Server' as I thought it didn't do much. But Mathias convinced me that it was easy and we might as well do something. Since we are still having login problems I guess it wasn't so easy.

I don't think we can do it with a whitelist, it would break too much. But extending the blacklist to include a couple others like x-powered-by might be good… once we fix the trac login problem!

comment:2 Changed 8 years ago by zzz

Milestone: 0.8.60.9

Trac login problem was fixed a couple releases ago. Server: is now filtered. Would you please make a list of all other headers that you propose to filter?

comment:3 Changed 8 years ago by zzz

Owner: set to dream
Status: newassigned

reassigning to dream for a response

comment:4 Changed 7 years ago by zzz

Resolution: no response
Status: assignedclosed
Note: See TracTickets for help on using tickets.