httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@wired.com>
Subject Re: apache-0.2...
Date Wed, 22 Mar 1995 19:47:59 GMT
On Wed, 22 Mar 1995, David Robinson wrote:
> B39_CRLF*.txt: Fix header output format to use CRLF not just LF: -1
> 
> You all know that I don't agree with the approach; I think Roy made
> the best point, that the CGI spec allows LF or CRLF, whereas HTTP
> only allows CRLF, and so httpd should do the necessary protocol conversion.
> Also, CGI programmers are used to 'malformed header from CGI script', and
> so they all probably think httpd is checking their headers anyway. However, I
> don't mind going with the majority vote on whether httpd should add CR to
> headers from parsed scripts.

Uh, but this patch doesn't touch script-generated headers, except for one 
part.  The majority of the patch is taken up in changing HTTPD-generated 
headers from LF to CRLF - there was one bug which I fixed with the 401 
response, but the others look right.  

> But this particular patch gets -1 either way:
>  * the patch introduces a bug: a CGI script that sends a Status: header
>    ending in CRLF causes httpd to send a status line ending in CRCRLF
> , and

Hmm?  This seems to work alright for me....

>  * Either it should add the CR, in which case it is wrong.
>    Or, it should allow the (non nph-) CGI script to send its ouput
>    unchanged, in which case:
>    the patch does not fix a bug in httpd which sets the first character
>    to be a ':' in any CGI header that does not contain a ':'. Such headers
>    are allowed by http/1.0.

Indeed, this bug should be fixed, but that can be a separate patch.

> B40_trailing_slash.txt:  fix for introduced bug with trailing / in env var: -1
> Sorry, it doesn't work. I now don't get any PATH_INFO data at all in my
> /cgi-bin scripts. 

Hmm - this seems to work fine for me.

> In fact, I'd like to retrospectively give a -1 to
> B23 (addtype bug), and have it removed from 0.2...

What does this have to do with B40?

> B41: NCSA strsubfirst() stack-scribbling security fix:  +1

+1 as well.

> Enhancements:
> E37.load_cutoff.txt: Allow connections to be rejected if high load av: 0
> I think this is rather like the mmap nscache; a bit too unportable.
> You would want to at least try and port it to as many architectures
> first.

I'm a little more liberal - if it's a compile-time option and works on 
a couple of platforms (with the port to other platforms just waiting to 
happen) then I don't have a problem with it being in the distribution.

> Am I meant to vote for my own patches? If so,
> P12-nscache-2.txt: name server cache: +1
> E38-alias_malloc-3.txt: Store aliases in malloc'ed memory: +1
> (note new version.)

Yes, please use the new version, the old one was causing core dumps with 
cgi-bin scripts.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/


Mime
View raw message