Mark Thomas wrote:
I disalike patches which cause a
performance hit for the sole interest of embeddors who don't
contribute anything.
Agreed. But this wasn't the reasoning behind the patch.
From the original bug report (16254) I believe the reporter had a security
motive. To repeat some of my earlier comments on this change:
<quote>
...section 14.38 of RFC 2616 does state
<spec-quote>
Note: Revealing the specific software version of the server might
allow the server machine to become more vulnerable to attacks
against software that is known to contain security holes. Server
implementors are encouraged to make this field a configurable
option.
</spec-quote>
The default doesn't include a specific version but I think allowing it to be
overridden is more inline with the quote above.
Further, I couldn't see anything in the servlet spec that limits the use of
response.setHeader() to a subset of HTTP headers.
There are a lot of protocol specific headers that you cannot set using that.
The patch I applied was based on the handling of the date header immediately
previously in the same class.
</quote>
You are quite right that the date header special handling should probaly
go as well ;)
My position remains that the above reasons are sufficient justification for the
patch to remain.
My position remains the same as well.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
