httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@hyperreal.org
Subject cvs commit: apache-1.3 STATUS
Date Mon, 11 May 1998 23:45:13 GMT
brian       98/05/11 16:45:13

  Modified:    .        STATUS
  Log:
  Moved two issues to non-showstopper status based on new-httpd discussions.
  
  Revision  Changes    Path
  1.396     +12 -10    apache-1.3/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/STATUS,v
  retrieving revision 1.395
  retrieving revision 1.396
  diff -u -r1.395 -r1.396
  --- STATUS	1998/05/11 20:08:02	1.395
  +++ STATUS	1998/05/11 23:45:11	1.396
  @@ -11,18 +11,8 @@
   
   FINAL RELEASE SHOWSTOPPERS:
   
  -    * Someone other than Dean has to do a security/correctness review on
  -      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  -      do lots of fun pointer manipulations and such and possibly have overflow
  -      errors.  The respective flush_funcs also need to be exercised.
  -       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  -         did to make thread-safe) and they look fine.
  -
   WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
   
  -    * SECURITY: check if the magic con/aux/nul/etc names do anything
  -	really bad
  -
       * SECURITY: numerous uses of strcpy and strcat have potential
   	for buffer overflow, someone should rewrite or verify
   	they're safe
  @@ -126,6 +116,15 @@
   
   Open issues:
   
  +    * Someone other than Dean has to do a security/correctness review on
  +      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  +      do lots of fun pointer manipulations and such and possibly have overflow
  +      errors.  The respective flush_funcs also need to be exercised.
  +       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  +         did to make thread-safe) and they look fine.
  +       o Laura La Gassa's looked over ap_vformatter & other related code
  +       o Could still use 1 or 2 more sets of eyeballs.
  +
       * Paul would like to see a 'gdbm' option because he uses
         it a lot.
   
  @@ -188,6 +187,9 @@
   	Ken: What's W95-specific about it?
   
    Help:
  +
  +    * SECURITY: check if the magic con/aux/nul/etc names do anything
  +	really bad
   
       * chdir() for CGI scripts and mod_include #exec needs to be 
         re-implemented.  This requires either serializing chdir/spawn 
  
  
  

Mime
View raw message