Re: [thredds] Remove TDS Version information shown at bottom of page and on Info page.

  • To: "Brown, Mitchell E ERDC-RDE-CHL-MS CIV" <Mitchell.E.Brown@xxxxxxxxxxxxx>
  • Subject: Re: [thredds] Remove TDS Version information shown at bottom of page and on Info page.
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Tue, 7 Sep 2021 08:53:41 -0600
Hi Mitchell,

The TDS 5 uses Thymeleaf templates which control the look of the catalog
pages.  They can be modified to display the catalogs to exclude the server
version information:


   -
   
https://docs.unidata.ucar.edu/tds/5.0/userguide/customizing_tds_look_and_feel.html


We implement a custom footer on our thredds-test.unidata.ucar.edu and
thredds-dev.unidata.ucar.edu servers. Here is how we do it:


   -
   
https://github.com/Unidata/TdsConfig/blob/753f1000dc77163afc1fc0c0e19336f9a1154224/threddsTest/templates/tdsTemplateFragments.html#L25


The file would live in ${tds.content.root.path}/thredds/templates/  and
should use the name tdsTemplateFragments.html

<h4><th:block th:text="${webappName} + ' [Version ' + ${webappVersion} + '
- ' + ${webappBuildTimestamp} + ']'"/><a class="static" href="
https://docs.unidata.ucar.edu/thredds/5.0.0-SNAPSHOT/userguide/index.html";>
Documentation</a></h4>


To be clear, the TDS 5.0.0-beta9 release currently does not have any
known/open security vulnerabilities.

That said, I completely understand why you would want to obfuscate or
remove the version info from any third-party server or application you
run.  Therefore, we will be removing the server version info from public
visibility in the next release of the TDS 5.  :-)

Please let us know if you have any questions!

Cheers,
Jennifer

On Fri, Sep 3, 2021 at 8:53 AM Brown, Mitchell E ERDC-RDE-CHL-MS CIV via
thredds <thredds@xxxxxxxxxxxxxxxx> wrote:

> I have security vulnerabilities that I have to address for our TDS
> instances that deal with server version information being displayed.  This
> occurs on EVERY page that comes up in the catalog at the very bottom and
> looks something like this:
>
> THREDDS Data Server [Version 5.0.0-beta9 - 2021-09-01T02:47:21+0000]
> Documentation
>
> Also, the Info page displays information, such as shown below.
>
>    - Webapp Name: THREDDS Data Server
>    - Webapp Version: 5.0.0-beta9
>
> I am temporarily addressing the vulnerability by commenting out a few
> lines in the following files:
>
>    - thredds##5.0.0-beta9/WEB-INF/templates/commonFragments.html
>    -
>    
> thredds##5.0.0-beta9/WEB-INF/jsp/thredds/server/serverinfo/serverInfo_html.jsp
>
>
> Is there a better way to do this?  Each time I update the TDS version, I
> have to manually modify these files again.  This is occurring in TDS 5
> betas, but also was present in TDS 4.x as well.
>
> Thanks,
> Mitchell Brown
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web.  Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe,  visit:
> https://www.unidata.ucar.edu/mailing_lists/
>
  • 2021 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: