Vista combinada Visión Plana Vista de árbol
Discusiones [ Anterior | Siguiente ]
toggle
Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 3 de marzo de 2011 22:17
RE: Security Issue : Liferay Name and Version in Response Header Shagul Khajamohideen 4 de marzo de 2011 8:34
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 4 de marzo de 2011 8:51
RE: Security Issue : Liferay Name and Version in Response Header David H Nebinger 10 de marzo de 2011 11:22
RE: Security Issue : Liferay Name and Version in Response Header Manish Kumar Jaiswal 11 de marzo de 2011 4:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 de enero de 2013 0:08
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 de enero de 2013 2:45
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 de enero de 2013 3:02
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 de enero de 2013 3:18
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 19 de enero de 2013 3:22
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 19 de enero de 2013 11:47
RE: Security Issue : Liferay Name and Version in Response Header Amit Kumar Gupta 20 de enero de 2013 8:54
RE: Security Issue : Liferay Name and Version in Response Header Jelmer Kuperus 20 de enero de 2013 12:28
RE: Security Issue : Liferay Name and Version in Response Header Hitoshi Ozawa 20 de enero de 2013 13:03
RE: Security Issue : Liferay Name and Version in Response Header satyam kaushik 1 de noviembre de 2013 3:59
Manish Kumar Jaiswal
Security Issue : Liferay Name and Version in Response Header
3 de marzo de 2011 22:17
Respuesta

Manish Kumar Jaiswal

Ranking: Regular Member

Mensajes: 133

Fecha de incorporación: 25 de noviembre de 2008

Mensajes recientes

Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?
Shagul Khajamohideen
RE: Security Issue : Liferay Name and Version in Response Header
4 de marzo de 2011 8:34
Respuesta

Shagul Khajamohideen

Ranking: Liferay Master

Mensajes: 759

Fecha de incorporación: 27 de septiembre de 2007

Mensajes recientes

Manish Kumar Jaiswal:
Liferay Leaks out the in its Resonse headers its Name and Version . How Can I restrict it , What Exact modification will make it hide (I hope something into Tomcat ...mine is Liferay 6.0.5 + tomcat-6.0.26)...?



I think the response headers are intentional and not a mistake. I do not see any configurations to change the behavior.

If there is no configurable way to do that, I see two options
1) Customize/extend the code behind that to no set those response headers
2) Use some kind of modify header options in apache or any web server (based on what they support) to remove those headers.

http://httpd.apache.org/docs/2.0/mod/mod_headers.html
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
4 de marzo de 2011 8:51
Respuesta

David H Nebinger

Community Moderator

Ranking: Liferay Legend

Mensajes: 8336

Fecha de incorporación: 1 de septiembre de 2006

Mensajes recientes

Sure they're intentional (as they are purposely returning it), but I can't see what value it would have.

It is strange that www.liferay.com returns the header:

1Liferay-Portal:Liferay Portal Enterprise Edition 5.2 EE SP6 (Augustine / Build 5210 / February 14, 2011)


With 6.0 out for awhile now, you'd think they would push their own folks to use the latest release.

It begs the question, what is so wrong with 6.0 that you need to stay on 5.2? If you're staying on 5.2, then perhaps we should too...
David H Nebinger
RE: Security Issue : Liferay Name and Version in Response Header
10 de marzo de 2011 11:22
Respuesta

David H Nebinger

Community Moderator

Ranking: Liferay Legend

Mensajes: 8336

Fecha de incorporación: 1 de septiembre de 2006

Mensajes recientes

I've just submitted a patch in LPS-2748 for the 6.0.6 CE edition that adds a new boolean property, response.header.liferay.version, defaults to true but controls the addition of the header. This would allow for it to overridden in portal-ext.properties to disable the header addition.

I think it cannot be done as an extension plugin since it is a change to the portal's MainServlet class (and other key classes) and would probably need to be applied directly to the 6.0.6 code base and built manually...

Boy, I sure miss the extension environment (where such a change would have been a breeze to incorporate).
Manish Kumar Jaiswal
RE: Security Issue : Liferay Name and Version in Response Header
11 de marzo de 2011 4:45
Respuesta

Manish Kumar Jaiswal

Ranking: Regular Member

Mensajes: 133

Fecha de incorporación: 25 de noviembre de 2008

Mensajes recientes

Nice David !!!!!!!!!!!!
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 0:08
Respuesta

Amit Kumar Gupta

Ranking: New Member

Mensajes: 24

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

Manish Kumar Jaiswal:
Nice David !!!!!!!!!!!!



Dear .Manish Kumar Jaiswal

How are you?

We have also hide the liferay verion from our portal.
How can we achieve?

i have set response.header.liferay.version=false in portal-ext.properties but it is not working....


its urgent.....
mail me solution
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 2:45
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

The property that was added is not response.header.liferay.version but this one :

#
# Set the level of verbosity to use for the Liferay-Portal field in the HTTP
# header response. Valid values are "full", which gives all of the version
# information (e.g. Liferay Portal Community Edition 6.1.0 CE etc.) or
# "partial", which gives only the name portion (e.g. Liferay Portal
# Community Edition).
#
http.header.version.verbosity=full


What does not seem to be documented is that you can change this setting for the community edition to

http.header.version.verbosity=Liferay Portal Community Edition


or for the enterprise edition to (probably)

http.header.version.verbosity=Liferay Portal Enterprise Edition


To get rid of the header completely
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 3:02
Respuesta

Amit Kumar Gupta

Ranking: New Member

Mensajes: 24

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

I have tried below
http.header.version.verbosity=Liferay Portal Community Edition
and
http.header.version.verbosity=partial
one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.

Plz help me
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 3:18
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

what version of liferay are you using ?
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 3:22
Respuesta

Amit Kumar Gupta

Ranking: New Member

Mensajes: 24

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

Liferay CE 6.0.6
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
19 de enero de 2013 11:47
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

That property is only supported on

liferay ce >= 6.1.0
liferay ee >= 6.0.12

You could (if you are not already doing this) run apache httpd in front of Liferay (using mod_proxy or mod_jk)
You can then use mod_rewrite to remove this header eg :

RequestHeader unset Liferay-Portal
Amit Kumar Gupta
RE: Security Issue : Liferay Name and Version in Response Header
20 de enero de 2013 8:54
Respuesta

Amit Kumar Gupta

Ranking: New Member

Mensajes: 24

Fecha de incorporación: 25 de noviembre de 2010

Mensajes recientes

Thanks for Reply

Can you please suggest me the exact Apache configuration of mod_rewrite?

In fact we are using Apache as front server (and liferay CE 6.0.6 behind it).
Jelmer Kuperus
RE: Security Issue : Liferay Name and Version in Response Header
20 de enero de 2013 12:28
Respuesta

Jelmer Kuperus

Ranking: Liferay Legend

Mensajes: 1192

Fecha de incorporación: 10 de marzo de 2010

Mensajes recientes

sure, would you like me to hold your hand while you type it in too?
Hitoshi Ozawa
RE: Security Issue : Liferay Name and Version in Response Header
20 de enero de 2013 13:03
Respuesta

Hitoshi Ozawa

Ranking: Liferay Legend

Mensajes: 7952

Fecha de incorporación: 23 de marzo de 2010

Mensajes recientes

one by one in protal-ext.properies file and restart my tomcat server but servre is show full liferay version.


This won't help you solve your problem on hand but the file name should be "portal-ext.properties".


BTW, I'm willing to help. Where can I send you my bills?
satyam kaushik
RE: Security Issue : Liferay Name and Version in Response Header
1 de noviembre de 2013 3:59
Respuesta

satyam kaushik

Ranking: New Member

Mensajes: 4

Fecha de incorporación: 1 de junio de 2013

Mensajes recientes

Is it possible to display blank or remove the Liferay-Portal header in the request header.I already use partial and it works fine.But I don't want to display server information at all in the request header.

My another doubt is when I tried to call setHeader(" Liferay-Portal"," ") on the reference of HttpServletResponse but it didn't work.Why?