httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52832] New: numerical configuration entry can be mistakenly interpreted without users' awareness
Date Mon, 05 Mar 2012 23:06:40 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52832

             Bug #: 52832
           Summary: numerical configuration entry can be mistakenly
                    interpreted without users' awareness
           Product: Apache httpd-2
           Version: 2.4.1
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: zation99@gmail.com
    Classification: Unclassified


The configuration parsing logic for numerical entries almost all use atoi() or
atol() to convert a string to an integer (for example, in set_max_ranges(),
set_max_reversals(), etc.) 

However, atoi and atol will only return error (<=0) if the initial portion of
the string is not digit. In case the string starts with some digits, they will
convert the initial portions without reporting any error.

For example, the string "2o0" will be parsed and returned as 2. In this case,
although the users' original intention might be set it to 200, the program
executes as it is 2 instead, without giving out any warnings.

It seems it affects almost all versions of httpd, and every place where atoi /
atol is used to convert configuration parameters from string to integer.

Bug fix proposal: use strtol(char* nptr, char **endptr, int base) instead, and
give out warnings if the endptr does not point to the end of the string. Or use
apr_strtoi64() instead.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message