Foren

Home » Liferay Portal » English » 3. Development

Kombinierte Ansicht Flache Ansicht Baumansicht
Threads [ Zurück | Nächste ]
toggle
Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 3. März 2011 22:17
RE: Security Issue : Liferay Name and Version in Response Header Shagul Khajamohideen 4. März 2011 08:34
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 4. März 2011 08:51
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 10. März 2011 11:22
RE: Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 11. März 2011 04:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19. Januar 2013 00:08
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19. Januar 2013 02:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19. Januar 2013 03:02
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19. Januar 2013 03:18
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19. Januar 2013 03:22
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19. Januar 2013 11:47
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 20. Januar 2013 08:54
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 20. Januar 2013 12:28
RE: Security Issue : Liferay Name and Version in Response Header Hitoshi Ozawa 20. Januar 2013 13:03
RE: Security Issue : Liferay Name and Version in Response Header satyam kaushik 1. November 2013 03:59
Manish Kumar Jaiswal
Security Issue : Liferay Name and Version in Response Header
3. März 2011 22:17
Antwort

Manish Kumar Jaiswal

Rang: Regular Member

Nachrichten: 133

Eintrittsdatum: 25. November 2008

Neue Beiträge

Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?
Shagul Khajamohideen
RE: Security Issue : Liferay Name and Version in Response Header
4. März 2011 08:34
Antwort

Shagul Khajamohideen

Rang: Liferay Master

Nachrichten: 759

Eintrittsdatum: 27. September 2007

Neue Beiträge

Manish Kumar Jaiswal:
Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?



I think the response headers are intentional and not a mistake. I do not see any configurations to change the behavior.

If there is no configurable way to do that, I see two options
1) Customize/extend the code behind that to no set those response headers
2) Use some kind of modify header options in apache or any web server (based on what they support) to remove those headers.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
4. März 2011 08:51
Antwort

David H Nebinger

Rang: Liferay Legend

Nachrichten: 7027

Eintrittsdatum: 1. September 2006

Neue Beiträge

Sure they're intentional (as they are purposely returning it), but I can't see what value it would have.

It is strange that www.liferay.com returns the header:

1Liferay-Portal:Liferay Portal Enterprise Edition 5.2 EE SP6 (Augustine / Build 5210 / February 14, 2011)


With 6.0 out for awhile now, you'd think they would push their own folks to use the latest release.

It begs the question, what is so wrong with 6.0 that you need to stay on 5.2? If you're staying on 5.2, then perhaps we should too...
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
10. März 2011 11:22
Antwort

David H Nebinger

Rang: Liferay Legend

Nachrichten: 7027

Eintrittsdatum: 1. September 2006

Neue Beiträge

I've just submitted a patch in LPS-2748 for the 6.0.6 CE edition that adds a new boolean property, response.header.liferay.version, defaults to true but controls the addition of the header. This would allow for it to overridden in portal-ext.properties to disable the header addition.

I think it cannot be done as an extension plugin since it is a change to the portal's MainServlet class (and other key classes) and would probably need to be applied directly to the 6.0.6 code base and built manually...

Boy, I sure miss the extension environment (where such a change would have been a breeze to incorporate).
Manish Kumar Jaiswal
RE: Security Issue : Liferay Name and Version in Response Header
11. März 2011 04:45
Antwort

Manish Kumar Jaiswal

Rang: Regular Member

Nachrichten: 133

Eintrittsdatum: 25. November 2008

Neue Beiträge

Nice David !!!!!!!!!!!!
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 00:08
Antwort

Amit Kumar Gupta

Rang: New Member

Nachrichten: 24

Eintrittsdatum: 25. November 2010

Neue Beiträge

Manish Kumar Jaiswal:
Nice David !!!!!!!!!!!!



Dear .Manish Kumar Jaiswal

How are you?

We have also hide the liferay verion from our portal.
How can we achieve?

i have set response.header.liferay.version=false in portal-ext.properties but it is not working....


its urgent.....
mail me solution
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 02:45
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

The property that was added is not response.header.liferay.version but this one :

#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=full


What does not seem to be documented is that you can change this setting for the community edition to

http.header.version.verbosity=Liferay Portal Community Edition


or for the enterprise edition to (probably)

http.header.version.verbosity=Liferay Portal Enterprise Edition


To get rid of the header completely
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 03:02
Antwort

Amit Kumar Gupta

Rang: New Member

Nachrichten: 24

Eintrittsdatum: 25. November 2010

Neue Beiträge

I have tried below
http.header.version.verbosity=Liferay Portal Community Edition
and
http.header.version.verbosity=partial
one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.

Plz help me
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 03:18
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

what version of liferay are you using ?
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 03:22
Antwort

Amit Kumar Gupta

Rang: New Member

Nachrichten: 24

Eintrittsdatum: 25. November 2010

Neue Beiträge

Liferay CE 6.0.6
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19. Januar 2013 11:47
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

That property is only supported on

liferay ce >= 6.1.0
liferay ee >= 6.0.12

You could (if you are not already doing this) run apache httpd in front of Liferay (using mod_proxy or mod_jk)
You can then use mod_rewrite to remove this header eg :

RequestHeader unset Liferay-Portal
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
20. Januar 2013 08:54
Antwort

Amit Kumar Gupta

Rang: New Member

Nachrichten: 24

Eintrittsdatum: 25. November 2010

Neue Beiträge

Thanks for Reply

Can you please suggest me the exact Apache configuration of mod_rewrite?

In fact we are using Apache as front server (and liferay CE 6.0.6 behind it).
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
20. Januar 2013 12:28
Antwort

Jelmer Kuperus

Rang: Liferay Legend

Nachrichten: 1192

Eintrittsdatum: 10. März 2010

Neue Beiträge

sure, would you like me to hold your hand while you type it in too?
Hitoshi Ozawa
RE: Security Issue : Liferay Name and Version in Response Header
20. Januar 2013 13:03
Antwort

Hitoshi Ozawa

Rang: Liferay Legend

Nachrichten: 7990

Eintrittsdatum: 23. März 2010

Neue Beiträge

one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.


This won't help you solve your problem on hand but the file name should be "portal-ext.properties".


BTW, I'm willing to help. Where can I send you my bills?
satyam kaushik
RE: Security Issue : Liferay Name and Version in Response Header
1. November 2013 03:59
Antwort

satyam kaushik

Rang: New Member

Nachrichten: 4

Eintrittsdatum: 1. Juni 2013

Neue Beiträge

Is it possible to display blank or remove the Liferay-Portal header in the request header.I already use partial and it works fine.But I don't want to display server information at all in the request header.

My another doubt is when I tried to call setHeader(" Liferay-Portal"," ") on the reference of HttpServletResponse but it didn't work.Why?