To prevent version disclosure, I would like CherryPy not to reveal its version. It is revealed on the error page and in the server header. How can this be disabled?
Asked
Active
Viewed 641 times
2 Answers
3
Adding onto Luc's answer;
In your config you should change your 'response.headers.server' to '' or something custom to hide the version in browser headers as well.
You can edit the template code as well to remove the Powered By. For example this will replace it with a ''.
cherrypy.__version__ = ''
cherrypy._cperror._HTTPErrorTemplate = cherrypy._cperror._HTTPErrorTemplate.replace('Powered by <a href="http://www.cherrypy.org">CherryPy %(version)s</a>\n','%(version)s')
J_K
- 51
- 2
1
This does not seem to be supported by CherryPy, but we can manage ourselves!
The error page template is hardcoded in _cperror.py and removing the version number from the template would only be possible through a custom error page. However, we can override the variable from which the version number is read:
cherrypy.__version__ = ''
Looking at usage of the variable, we see that this will affect both the error pages and the HTTP header:
/usr/local/lib/python3.6/dist-packages/cherrypy$ grep cherrypy.__version__ *.py
_cperror.py: kwargs['version'] = cherrypy.__version__
_cprequest.py: 'Server': 'CherryPy/' + cherrypy.__version__,
The HTTP Server header will still mention CherryPy. This can be overridden, as mentioned by Baxter, by setting the config variable response.headers.server:
cherrypy.config.update({
'response.headers.server': '',
})
Your error pages will still disclose 'Powered by CherryPy', but at least no version number will be mentioned.
Note that both code snippets have to be put before starting the server (i.e. before you call cherrypy.quickstart(...)).
Luc
- 5,339
- 2
- 48
- 48