Hi Mitchell,
The TDS 5 uses Thymeleaf templates which control the look of the catalog
pages. They can be modified to display the catalogs to exclude the server
version information:
-
https://docs.unidata.ucar.edu/tds/5.0/userguide/customizing_tds_look_and_feel.html
We implement a custom footer on our thredds-test.unidata.ucar.edu and
thredds-dev.unidata.ucar.edu servers. Here is how we do it:
-
https://github.com/Unidata/TdsConfig/blob/753f1000dc77163afc1fc0c0e19336f9a1154224/threddsTest/templates/tdsTemplateFragments.html#L25
The file would live in ${tds.content.root.path}/thredds/templates/ and
should use the name tdsTemplateFragments.html
<h4><th:block th:text="${webappName} + ' [Version ' + ${webappVersion} + '
- ' + ${webappBuildTimestamp} + ']'"/><a class="static" href="
https://docs.unidata.ucar.edu/thredds/5.0.0-SNAPSHOT/userguide/index.html";>
Documentation</a></h4>
To be clear, the TDS 5.0.0-beta9 release currently does not have any
known/open security vulnerabilities.
That said, I completely understand why you would want to obfuscate or
remove the version info from any third-party server or application you
run. Therefore, we will be removing the server version info from public
visibility in the next release of the TDS 5. :-)
Please let us know if you have any questions!
Cheers,
Jennifer
On Fri, Sep 3, 2021 at 8:53 AM Brown, Mitchell E ERDC-RDE-CHL-MS CIV via
thredds <thredds@xxxxxxxxxxxxxxxx> wrote:
> I have security vulnerabilities that I have to address for our TDS
> instances that deal with server version information being displayed. This
> occurs on EVERY page that comes up in the catalog at the very bottom and
> looks something like this:
>
> THREDDS Data Server [Version 5.0.0-beta9 - 2021-09-01T02:47:21+0000]
> Documentation
>
> Also, the Info page displays information, such as shown below.
>
> - Webapp Name: THREDDS Data Server
> - Webapp Version: 5.0.0-beta9
>
> I am temporarily addressing the vulnerability by commenting out a few
> lines in the following files:
>
> - thredds##5.0.0-beta9/WEB-INF/templates/commonFragments.html
> -
>
> thredds##5.0.0-beta9/WEB-INF/jsp/thredds/server/serverinfo/serverInfo_html.jsp
>
>
> Is there a better way to do this? Each time I update the TDS version, I
> have to manually modify these files again. This is occurring in TDS 5
> betas, but also was present in TDS 4.x as well.
>
> Thanks,
> Mitchell Brown
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web. Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> https://www.unidata.ucar.edu/mailing_lists/
>
