httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Douglass <miked...@texas.net>
Subject Re: WWW Form Bug Report: "Usr of ".map." in file name causes problems" on HPUX (fwd)
Date Sat, 29 Jun 1996 16:33:25 GMT
On Sat, 29 Jun 1996, Randy Terbush wrote:

>
> I'm skeptical about whether this magic number check can be done
> efficiently enough to make it worthwhile.
>
> My feeling is that if you feed mod_imap binary data, you lose.
>
> Would it be rediculous to just trap SIGSEGV here and log an error?
>

In my personal opinion (and professional programming opinion) I would
disagree with that method.  Number One, it's messy (signals almost
always are--especially cross-platform).  Number Two, SIGSEGVs are caused
by programming errors that should not be there.  You never want to
allow memory to be overwritten.  Think of it this way; remember all
of the holes that have been found where the problem was allowing a
memory overflow?  Can we name a few programs?  Hrm.. I think fingerd was
one of them at one time; and Sun recently had to fix syslogd because they
had an overflow problem.

Overflows are *BAD* ideas.  I certainly wouldn't want one of my customers
trying to gain unauthorized access to my system because he/she was able
to overflow a memory buffer and happen to get unwanted code executed.  Sure,
it could take forever and a day for someone to do it; but it has been done
in the past.

Michael Douglass
Texas Networking, Inc.

  "To be a saint is to be an exception; to be a true man is the rule.
   Err, fail, sin if you must, but be upright.  To sin as little as
   possible is the law for men; to sin not at all is a dream for angels."

              - Victor Hugo, "Les Miserables"


Mime
View raw message