[PATCH 2/4] httpd: Don't add Date header to response

Sergey Ponomarev stokito at gmail.com
Mon Aug 31 15:20:32 UTC 2020 

Thank you guys for your inputs.
I checked all links and it looks like few years ago there was some breach
in NTP daemons so some ISP disabled it.
It looks like almost everyone just called 1.1.1.1 or google.com. So it not
necessary should be a router or embedded device.
Given how small is amount of such users and only part of them probably may
not have an Internet access and even server access I think we are safe here.

> fork+exec is pretty heavy

Yes but such calls are not expected to be so intensive: maybe just once per
day per client.

BTW the more real problem is with httpd_indexcgi.c which provides directory
listing as a CGI script. All other web servers have a built-in listing.

Speaking about that Date is required by RFC: I sent an email to HTTP WG
https://lists.w3.org/Archives/Public/ietf-http-wg/2020JulSep/0142.html

Anyway, the Date header is still compiled by default but those who don't
need it may disable it.




On Mon, 31 Aug 2020 at 11:25, Bernd Petrovitsch <bernd at petrovitsch.priv.at>
wrote:

> Hi all!
>
> On Mon, 2020-08-31 at 09:53 +0200, Guillermo Rodriguez Garcia wrote:
> [...]
> > El sáb., 29 ago. 2020 a las 21:37, Sergey Ponomarev
> > (<stokito at gmail.com>) escribió:
> > > > I have seen clients set the local date from there when ntp was not
> available.
> > >
> > > I'm just curious, could you please provide more details. What was the
> type of clients? Embedded devices or something else.
> >
> > Embedded devices.
>
> Perhaps it makes sense to check which is the smallest
> Only-NTP-Client implementation.
>
> > > Why wasn't ntp available for them? How often does this happen in the
> wild?
> >
> > Not sure. Some examples:
> >
> >
> https://www.snbforums.com/threads/ntp-blocked-alternatives-to-ntpd-for-updating-time.46541/page-3#post-404882
> >
> https://askubuntu.com/questions/1035525/set-date-and-time-from-http-header-in-router-with-curl-or-wget
>
> There's a lot of unnecessary fork+exec in these (so-called) "solutions"
> (and
> in the thread above also).
> fork+exec is pretty heavy weight and slow on average/typical embedded
> devices.
>
> And thus it's not really that exact (which may be no issue - dependeing
> on the application).
>
> I haven't tried but most - if not all - can be easily replaced with "pure
> dash".
>
> [...]
> > But clients that you don't control may just assume that the Date
> > header is present (since it is mandated by RFC2616) and disabling this
> > would break them.
>
> Well, if the header is required by a standard ....
>
> MfG,
>         Bernd
> --
> Bernd Petrovitsch                  Email : bernd at petrovitsch.priv.at
> There is no cloud, just other people computers. - FSFE
>                      LUGA : http://www.luga.at
>
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
>


-- 
Sergey Ponomarev <https://linkedin.com/in/stokito>, skype:stokito
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20200831/37d7305c/attachment.html>

More information about the busybox mailing list