To: new-httpd@hyperreal.com
Subject: Re: 0.3 is go 
In-reply-to: Your message of "Sat, 25 Mar 1995 21:50:00 GMT."
             <m0rsdix-0003p5C@cass39.ast.cam.ac.uk>
Date: Sat, 25 Mar 1995 19:07:56 -0800
From: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>
Message-ID: <9503251908.aa16600@paris.ics.uci.edu>
Sender: owner-new-httpd@hyperreal.com
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

> * All the bugs: B4, B5, B19, B22. (Roy, you vetoed the B22 patch; would you
>   like to write a better fix?)

Yes, I'd like to, but I won't have the time.  The fix is simple -- don't
allow a string to grow beyond its max length (truncate the input to prevent
this from happening).  Unfortunately, the problem is that the routines pass
the strings around without including the string bounds, which means that
the changes required to fix this problem will permeate the code.

> * Features: E30, and maybe E15.

I have found E30 (the concept) to be extremely useful.  However, if it's
included it should probably be either #ifdef'd or based on a config option.
It would also be nice if the error_log was in a standard format, but that's
probably hopeless.

> * Is the memory usage with the CERT patch (MAX_STRING_LEN = 8192) acceptable
>   even with my malloc patch?

Only if it is an option.  I think its a waste -- it doesn't solve the real
problem and needlessly expands storage for the 95% of strings that never
get very large.

> * We've changed the date format; how many browsers actually understand the
>   new format?

Nobody has ever complained about it when accessing my site, and my site
has been accessed by every client developer in the business.  However,
I also don't use many images at my site, so I haven't given anyone much
cause to complain.  I think Netscape is the only browser capable of failing
on a different date format.

.......Roy