httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 22030] - SECURITY: 4097+ bytes of stderr from cgi script causes script to hang
Date Thu, 25 Mar 2004 13:26:13 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=22030>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=22030

SECURITY: 4097+ bytes of stderr from cgi script causes script to hang





------- Additional Comments From trawick@apache.org  2004-03-25 13:26 -------
>How urgent is fixing this bug viewed as by those who are actively working on
Apache?

Emperical evidence would suggest that it is not very important.

>Are we likely to see a proper fix for this included in a production
>release in the foreseeable future or will work arounds within scripts
>and fixes like Jeff's be the norm for now?

I have no idea about the first question.

The answer to the second question is, in general, no.  This particular situation
is one which requires a complete redesign of how mod_cgi interacts with scripts.
 I have made a set of code available which for Unix has a design that should
solve this problem, it works for my testcases, etc.

Another unusual example: 2.0.49 provided an overhaul of mod_include with
completely new parsing engine and a number of existing problems resolved.  For
quite a while, people with 2.0.x  mod_include problems were asked to try this
alternate implementation.  After a relatively long time it was merged into 2.0.x
for the 2.0.49 release.

If somebody has time/energy to move the ball forward they can offer their own
solution or try out what I have and offer feedback.

If somebody does not have time/energy to help move the ball forward they can
always buy commercial support for Apache or an Apache-based server and complain
to the vendor that it does not meet their requirements.

Or modify scripts to redirect stderr or not output so much stuff to stderr.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message