httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Time's a wastin'
Date Mon, 23 Sep 1996 15:31:17 GMT

> Coincidently, we listed many of the 1.1.1. bugs in this week's Apache
> Week. I've extracted the unfixed ones below, and noted which ones have
> patches (usually supplied by the bug reporter, and probably untested).
> There are 22 bugs here, and most are easy to fix.
> 
> Below the bugs I've listed some of the feature-enhancements that are
> already coded.
> 
> BUGS
> 
> 3      When a sub-program is about to be run, Apache checks for correct
>        permissions, but it does not account for other groups that the
>        current user might be in. PATCH AVAILABLE.

Much of this has changed in 1.2. I would point out that Jason and I
made a decision to nuke other groups that the user might be in just
to be paranoid when doing setuid execution. Could I see the patch for
this?

> 5      Domain names on allow and deny lines are not compared
>        case-insensitively.

I thought this had been fixed.

> 9      Imagemap Module: Long URLs (>100 chars) can cause buffer overflows

I looked at this some more, (and will look again), but I think the effect
is generally that it will just truncate these long URLs.

> 11     Negotiation Module: Charset negotiation is not implemented.
>        PATCH AVAILABLE

I think we decided this was a bad thing.

> 13     Userdir: cannot handle certain configurations, such as
>        http://10.1.2.3/~*

Fixed by mod_rewrite.

> 21     Host: header can override IP virtual hosts to give access to
>        other vhosts's information.

I think this is noted in the docs. Feature.  :)

> 22     IP-based Virtual hosts on main IP address but different ports
>        not working.

Fixed?  I think it is working on my 1.2 servers.






Mime
View raw message