[wp-trac] [WordPress Trac] #19549: Please remove X-Mailer from class-phpmailer
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 3 20:51:03 UTC 2012
#19549: Please remove X-Mailer from class-phpmailer
-----------------------------------+-----------------------
Reporter: jwz | Owner: westi
Type: enhancement | Status: assigned
Priority: normal | Milestone: 3.4
Component: External Libraries | Version: 3.3
Severity: minor | Resolution:
Keywords: 2nd-opinion has-patch |
-----------------------------------+-----------------------
Comment (by jwz):
Currently, I can remove WordPress version-branding in HTML and RSS by
doing:
{{{
function no_generator() { return ''; }
add_filter('the_generator', 'no_generator');
}}}
Wouldn't it be better for php-mailer to be calling `the_generator()` so
that all this comes from the same place?
It's also important that if `the_generator()` returns an empty string that
the header not be emitted at all. A blank X-Mailer header is almost as
good a a signature providing a version number in the first place.
As I said in my initial report, please keep in mind that the reason I'm
complaining about this is that providing people with version numbers of
the software that is running on remote servers is a ''security exposure''.
I'm not trying to de-brand this stuff for no reason. I'm trying to de-
brand it because the first thing someone who's trying to hack your server
wants to know is what it's running. The fewer identifiable clues that you
provide to that, the safer you are.
I think it's a big mistake for WordPress to tell the world what version
number is running by default, but at least in the case of WordPress, I can
override that.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19549#comment:12>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list