apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: apr 1.4.3, apr-util 1.3.11
Date Mon, 14 Mar 2011 23:42:32 GMT
On 3/14/2011 6:31 PM, Guenter Knauf wrote:
> I think since we agree that we have a bug with APR +  we have a working fix for it we
> should go with the fix and backport it to all branches for now. Sure I agree with you
> we should always look for root causes rather than intruducing workarounds

Sorry, totally disagree when you talk about any parsers.  They tend to be
the root of most security issues and nearly all interop problems.

As I said *Saturday* to no objections, I would plow through all such issues
over the course of this week.  So, no, I disagree with applying this without
thinking it through (if someone is using this to compare canonical paths,
the new 'feature' introduces a security hole, and if this was a problem in
the past, it may represent already existing security holes in the consumer).

It's actually third on my apr-plate, meaning this now distracts me from
finishing my review of all these single unix specs and legacy behaviors
for the undefined bits to ensure my fnmatch optimization logic is correct.

So please, don't backport until this coming Saturday, if Bert and I haven't
found a better resolution.  kthx

View raw message