httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <>
Subject ramifications of PHP vulnerability?
Date Wed, 31 Jul 2002 04:35:44 GMT

Last week the PHP folks announced a security flaw in their
multipart/form-data code.  I know that their code is largely based
on our apreq-1.0 C code.

In the past we've discussed the limitations on how the 1.0 mfd parser
handles header info (we assume the header size is < 5K, and do not
handle wrapped lines).  The PHP vulnerability appears related to this
issue, even though we'd concluded that the parser's behavior was OK.

Should we be concerned?  Can any of the committers (Jim, Rasmus) that
are also PHP developers enlighten us as to whether the vulnerability 
is in the PHP port, or apreq itself?

Joe Schaefer

View raw message