httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@liege.ICS.UCI.EDU>
Subject mod_dir bug never fixed in 1.2
Date Tue, 26 Nov 1996 09:16:58 GMT
I was just checking through my save folder and found this.
It hasn't been fixed in the cvs source.

.....Roy

------- Forwarded Message

Message-Id: <199604241822.NAA10193@austin.bsdi.com>
To: new-httpd@hyperreal.com
Subject: bug in directory indexing code (apache version 1.0.0-1.0.5)
In-reply-to: Rob Hartill's message of Wed, 24 Apr 1996 09:15:56 MDT.
References: <199604241515.AA208498956@ooo.lanl.gov> 
From: Tony Sanders <sanders@bsdi.com>
Organization: Berkeley Software Design, Inc.
Date: Wed, 24 Apr 1996 13:22:00 -0500
Sender: owner-new-httpd@hyperreal.com
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

I've been having some problems with apache 1.0.0-1.0.5
occassionaly getting into a tight spin-loop eating up cpu.  I
finally traced it down to the directory indexing code trashing
the stack with a null byte.  Someone should check 1.1b* for
this bug as well.

A patch follows -- though whoever "owns" that code might want to
solve the problem in a different way as I was not totally clear on
why the code was doing things the way it was doing them so I opted
to just preserve the behavior.  I also reduced the number of times
that the constant "23" was used -- it should probably be a #define.

*** mod_dir.c.orig	Wed Apr 24 12:45:48 1996
--- mod_dir.c	Wed Apr 24 13:12:47 1996
***************
*** 617,625 ****
  		t2 = pstrcat(scratch, t2, "</A>", NULL);
              } else 
  	    {
! 		char buff[23]="                       ";
  		t2 = escape_html(scratch, t);
! 		buff[23-len] = '\0';
  		t2 = pstrcat(scratch, t2, "</A>", buff, NULL);
  	    }
  	    anchor = pstrcat (scratch, "<A HREF=\"",
--- 617,626 ----
  		t2 = pstrcat(scratch, t2, "</A>", NULL);
              } else 
  	    {
! 		char buff[23];
! 		strncpy(buff, "                       ", sizeof(buff));
  		t2 = escape_html(scratch, t);
! 		buff[sizeof(buff)-len] = '\0';
  		t2 = pstrcat(scratch, t2, "</A>", buff, NULL);
  	    }
  	    anchor = pstrcat (scratch, "<A HREF=\"",

------- End of Forwarded Message

Mime
View raw message