httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject [PATCH]: slightly updated buffer overflow patches
Date Mon, 20 Jan 1997 01:04:56 GMT
Here are my latest patches.  The only difference between them and the
previous version is that I removed the mod_fastcgi changes and lowered
the size of a buffer in mod_info a bit, as discussed.

I think there is enough support to commit them for final testing now.
Once that is done, it would be a good time to double check compiling
on all platforms you can with all modules you can, with (if you
have snprintf) and without HAVE_SNPRINTF defined.

Index: buff.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/buff.c,v
retrieving revision 1.13
diff -c -r1.13 buff.c
*** buff.c	1997/01/18 19:17:21	1.13
--- buff.c	1997/01/19 22:23:10
***************
*** 481,487 ****
      if (fb->flags & B_CHUNK) {
  	char chunksize[16];	/* Big enough for practically anything */
  
! 	sprintf(chunksize, "%x\015\012", nbyte);
  	write(fb->fd, chunksize, strlen(chunksize));
      }
      r = write(fb->fd, buf, nbyte);
--- 481,487 ----
      if (fb->flags & B_CHUNK) {
  	char chunksize[16];	/* Big enough for practically anything */
  
! 	ap_snprintf(chunksize, sizeof(chunksize), "%x\015\012", nbyte);
  	write(fb->fd, chunksize, strlen(chunksize));
      }
      r = write(fb->fd, buf, nbyte);
Index: http_config.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_config.c,v
retrieving revision 1.40
diff -c -r1.40 http_config.c
*** http_config.c	1997/01/04 15:10:15	1.40
--- http_config.c	1997/01/12 07:25:02
***************
*** 236,242 ****
      for(n=0 ; aMethods[n].offset >= 0 ; ++n)
  	if(aMethods[n].offset == offset)
  	    break;
!     sprintf(buf,"%s:%s",modp->name,aMethods[n].method);
      return buf;
      }
  #else
--- 236,242 ----
      for(n=0 ; aMethods[n].offset >= 0 ; ++n)
  	if(aMethods[n].offset == offset)
  	    break;
!     ap_snprintf(buf, sizeof(buf), "%s:%s",modp->name,aMethods[n].method);
      return buf;
      }
  #else
Index: http_core.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_core.c,v
retrieving revision 1.57
diff -c -r1.57 http_core.c
*** http_core.c	1997/01/01 18:10:17	1.57
--- http_core.c	1997/01/12 07:26:24
***************
*** 884,890 ****
  
  const char *set_server_root (cmd_parms *cmd, void *dummy, char *arg) {
      if (!is_directory (arg)) return "ServerRoot must be a valid directory";
!     strcpy (server_root, arg);
      return NULL;
  }
  
--- 884,891 ----
  
  const char *set_server_root (cmd_parms *cmd, void *dummy, char *arg) {
      if (!is_directory (arg)) return "ServerRoot must be a valid directory";
!     strncpy (server_root, arg, sizeof(server_root)-1);
!     server_root[sizeof(server_root)-1] = '\0';
      return NULL;
  }
  
Index: http_main.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_main.c,v
retrieving revision 1.106
diff -c -r1.106 http_main.c
*** http_main.c	1997/01/12 20:38:12	1.106
--- http_main.c	1997/01/18 07:50:02
***************
*** 193,206 ****
  void
  accept_mutex_init(pool *p)
      {
!     char lock_fname[30];
  
  #ifdef __MACHTEN__
!     strcpy(lock_fname, "/var/tmp/htlock.XXXXXX");
  #else
!     strcpy(lock_fname, "/usr/tmp/htlock.XXXXXX");
  #endif
!     
      if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0')
      {
  	fprintf (stderr, "Cannot assign name to lock file!\n");
--- 193,207 ----
  void
  accept_mutex_init(pool *p)
      {
!     char lock_fname[256];
  
  #ifdef __MACHTEN__
!     strncpy(lock_fname, "/var/tmp/htlock.XXXXXX", sizeof(lock_fname)-1);
  #else
!     strncpy(lock_fname, "/usr/tmp/htlock.XXXXXX", sizeof(lock_fname)-1);
  #endif
!     lock_fname[sizeof(lock_fname)-1] = '\0';
! 
      if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0')
      {
  	fprintf (stderr, "Cannot assign name to lock file!\n");
***************
*** 251,259 ****
  void
  accept_mutex_init(pool *p)
  {
!     char lock_fname[30];
  
!     strcpy(lock_fname, "/usr/tmp/htlock.XXXXXX");
      
      if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0')
      {
--- 252,261 ----
  void
  accept_mutex_init(pool *p)
  {
!     char lock_fname[256];
  
!     strncpy(lock_fname, "/usr/tmp/htlock.XXXXXX", sizeof(lock_fname)-1);
!     lock_fname[sizeof(lock_fname)-1] = '\0';
      
      if (mktemp(lock_fname) == NULL || lock_fname[0] == '\0')
      {
***************
*** 411,421 ****
      if (timeout_req != NULL) dirconf = timeout_req->per_dir_config;
      else dirconf = current_conn->server->lookup_defaults;
      if (sig == SIGPIPE) {
!         sprintf(errstr,"%s lost connection to client %s",
  	    timeout_name ? timeout_name : "request",
  	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
      } else {
!         sprintf(errstr,"%s timed out for %s",
  	    timeout_name ? timeout_name : "request",
  	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
      }
--- 413,423 ----
      if (timeout_req != NULL) dirconf = timeout_req->per_dir_config;
      else dirconf = current_conn->server->lookup_defaults;
      if (sig == SIGPIPE) {
!         ap_snprintf(errstr, sizeof(errstr), "%s lost connection to client %s",
  	    timeout_name ? timeout_name : "request",
  	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
      } else {
!         ap_snprintf(errstr, sizeof(errstr), "%s timed out for %s",
  	    timeout_name ? timeout_name : "request",
  	    get_remote_host(current_conn, dirconf, REMOTE_NAME));
      }
***************
*** 606,612 ****
  	exit(1);
      }
  
!     sprintf(errstr, "created shared memory segment #%d", shmid);
      log_error(errstr, server_conf);
  
  #ifdef MOVEBREAK
--- 608,614 ----
  	exit(1);
      }
  
!     ap_snprintf(errstr, sizeof(errstr), "created shared memory segment #%d", shmid);
      log_error(errstr, server_conf);
  
  #ifdef MOVEBREAK
***************
*** 658,664 ****
      if (shmctl(shmid, IPC_RMID, NULL) != 0) {
  	perror("shmctl");
  	fprintf(stderr, "httpd: Could not delete segment #%d\n", shmid);
! 	sprintf(errstr, "could not remove shared memory segment #%d", shmid);
  	log_unixerr("shmctl","IPC_RMID",errstr, server_conf);
      }
      if (scoreboard_image == BADSHMAT)	/* now bailout */
--- 660,666 ----
      if (shmctl(shmid, IPC_RMID, NULL) != 0) {
  	perror("shmctl");
  	fprintf(stderr, "httpd: Could not delete segment #%d\n", shmid);
! 	ap_snprintf(errstr, sizeof(errstr), "could not remove shared memory segment #%d", shmid);
  	log_unixerr("shmctl","IPC_RMID",errstr, server_conf);
      }
      if (scoreboard_image == BADSHMAT)	/* now bailout */
***************
*** 2020,2035 ****
      ptrans = make_sub_pool(pconf);
      
      server_argv0 = argv[0];
!     strcpy (server_root, HTTPD_ROOT);
!     strcpy (server_confname, SERVER_CONFIG_FILE);
  
      while((c = getopt(argc,argv,"Xd:f:vhl")) != -1) {
          switch(c) {
            case 'd':
!             strcpy (server_root, optarg);
              break;
            case 'f':
!             strcpy (server_confname, optarg);
              break;
            case 'v':
              printf("Server version %s.\n",SERVER_VERSION);
--- 2022,2041 ----
      ptrans = make_sub_pool(pconf);
      
      server_argv0 = argv[0];
!     strncpy (server_root, HTTPD_ROOT, sizeof(server_root)-1);
!     server_root[sizeof(server_root)-1] = '\0';
!     strncpy (server_confname, SERVER_CONFIG_FILE, sizeof(server_root)-1);
!     server_confname[sizeof(server_confname)-1] = '\0';
  
      while((c = getopt(argc,argv,"Xd:f:vhl")) != -1) {
          switch(c) {
            case 'd':
!             strncpy (server_root, optarg, sizeof(server_root)-1);
!             server_root[sizeof(server_root)-1] = '\0';
              break;
            case 'f':
!             strncpy (server_confname, optarg, sizeof(server_confname)-1);
!             server_confname[sizeof(server_confname)-1] = '\0';
              break;
            case 'v':
              printf("Server version %s.\n",SERVER_VERSION);
Index: http_protocol.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_protocol.c,v
retrieving revision 1.90
diff -c -r1.90 http_protocol.c
*** http_protocol.c	1997/01/12 20:22:17	1.90
--- http_protocol.c	1997/01/18 08:15:40
***************
*** 140,150 ****
  
  	r->byterange = 1;
  
! 	sprintf(ts, "bytes %ld-%ld/%ld", range_start, range_end,
  		r->clength);
  	table_set(r->headers_out, "Content-Range",
  		  pstrdup(r->pool, ts));
! 	sprintf(ts, "%ld", range_end - range_start + 1);
  	table_set(r->headers_out, "Content-Length", ts);
      }
      else {
--- 140,150 ----
  
  	r->byterange = 1;
  
! 	ap_snprintf(ts, sizeof(ts), "bytes %ld-%ld/%ld", range_start, range_end,
  		r->clength);
  	table_set(r->headers_out, "Content-Range",
  		  pstrdup(r->pool, ts));
! 	ap_snprintf(ts, sizeof(ts), "%ld", range_end - range_start + 1);
  	table_set(r->headers_out, "Content-Length", ts);
      }
      else {
***************
*** 153,159 ****
  	
  	r->byterange = 2;
  	table_unset(r->headers_out, "Content-Length");
! 	sprintf(boundary, "%lx%lx", r->request_time, (long)getpid());
  	r->boundary = pstrdup(r->pool, boundary);
      }
      
--- 153,159 ----
  	
  	r->byterange = 2;
  	table_unset(r->headers_out, "Content-Length");
! 	ap_snprintf(boundary, sizeof(boundary), "%lx%lx", r->request_time, (long)getpid());
  	r->boundary = pstrdup(r->pool, boundary);
      }
      
***************
*** 181,187 ****
  	char *ct = r->content_type ? r->content_type : default_type(r);
  	char ts[MAX_STRING_LEN];
  
! 	sprintf(ts, "%ld-%ld/%ld", range_start, range_end, r->clength);
  	rvputs(r, "\015\012--", r->boundary, "\015\012Content-type: ",
  	       ct, "\015\012Content-range: bytes ", ts, "\015\012\015\012",
  	       NULL);
--- 181,187 ----
  	char *ct = r->content_type ? r->content_type : default_type(r);
  	char ts[MAX_STRING_LEN];
  
! 	ap_snprintf(ts, sizeof(ts), "%ld-%ld/%ld", range_start, range_end, r->clength);
  	rvputs(r, "\015\012--", r->boundary, "\015\012Content-type: ",
  	       ct, "\015\012Content-range: bytes ", ts, "\015\012\015\012",
  	       NULL);
***************
*** 198,204 ****
  
      r->clength = clength;
  
!     sprintf (ts, "%ld", clength);
      table_set (r->headers_out, "Content-Length", pstrdup (r->pool, ts));
  
      return 0;
--- 198,204 ----
  
      r->clength = clength;
  
!     ap_snprintf (ts, sizeof(ts), "%ld", clength);
      table_set (r->headers_out, "Content-Length", pstrdup (r->pool, ts));
  
      return 0;
***************
*** 225,231 ****
  	 * that sets the output to chunked encoding if it is not already
  	 * length-delimited.  It is not a bug, though it is annoying.
  	 */
! 	char header[26];
  	int left = r->server->keep_alive - r->connection->keepalives;
  	
  	r->connection->keepalive = 1;
--- 225,231 ----
  	 * that sets the output to chunked encoding if it is not already
  	 * length-delimited.  It is not a bug, though it is annoying.
  	 */
! 	char header[256];
  	int left = r->server->keep_alive - r->connection->keepalives;
  	
  	r->connection->keepalive = 1;
***************
*** 233,239 ****
  	
  	/* If they sent a Keep-Alive token, send one back */
  	if (ka_sent) {
! 	    sprintf(header, "timeout=%d, max=%d",
  		    r->server->keep_alive_timeout, left);
  	    rputs("Connection: Keep-Alive\015\012", r);
  	    rvputs(r, "Keep-Alive: ", header, "\015\012", NULL);
--- 233,239 ----
  	
  	/* If they sent a Keep-Alive token, send one back */
  	if (ka_sent) {
! 	    ap_snprintf(header, sizeof(header), "timeout=%d, max=%d",
  		    r->server->keep_alive_timeout, left);
  	    rputs("Connection: Keep-Alive\015\012", r);
  	    rvputs(r, "Keep-Alive: ", header, "\015\012", NULL);
***************
*** 280,289 ****
       */
  
      if (r->finfo.st_mode != 0)
!         sprintf(weak_etag, "W/\"%lx-%lx-%lx\"", (unsigned long)r->finfo.st_ino,
  		(unsigned long)r->finfo.st_size, (unsigned long)mtime);
      else
!         sprintf(weak_etag, "W/\"%lx\"", (unsigned long)mtime);
  
      etag = weak_etag + ((r->request_time - mtime > 1) ? 2 : 0);
      table_set (r->headers_out, "ETag", etag);
--- 280,291 ----
       */
  
      if (r->finfo.st_mode != 0)
!         ap_snprintf(weak_etag, sizeof(weak_etag), "W/\"%lx-%lx-%lx\"", 
! 		(unsigned long)r->finfo.st_ino,
  		(unsigned long)r->finfo.st_size, (unsigned long)mtime);
      else
!         ap_snprintf(weak_etag, sizeof(weak_etag), "W/\"%lx\"",
! 		(unsigned long)mtime);
  
      etag = weak_etag + ((r->request_time - mtime > 1) ? 2 : 0);
      table_set (r->headers_out, "ETag", etag);
***************
*** 752,760 ****
  
  void note_digest_auth_failure(request_rec *r)
  {
!     char nonce[10];
  
!     sprintf(nonce, "%lu", r->request_time);
      table_set (r->err_headers_out, "WWW-Authenticate",
                 pstrcat(r->pool, "Digest realm=\"", auth_name(r),
                         "\", nonce=\"", nonce, "\"", NULL));
--- 754,762 ----
  
  void note_digest_auth_failure(request_rec *r)
  {
!     char nonce[256];
  
!     ap_snprintf(nonce, sizeof(nonce), "%lu", r->request_time);
      table_set (r->err_headers_out, "WWW-Authenticate",
                 pstrcat(r->pool, "Digest realm=\"", auth_name(r),
                         "\", nonce=\"", nonce, "\"", NULL));
***************
*** 1251,1257 ****
          if (len_to_read == 0) {      /* Last chunk indicated, get footers */
              if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
                  get_mime_headers(r);
!                 sprintf(buffer, "%ld", r->read_length);
                  table_unset(r->headers_in, "Transfer-Encoding");
                  table_set(r->headers_in, "Content-Length", buffer);
                  return 0;
--- 1253,1259 ----
          if (len_to_read == 0) {      /* Last chunk indicated, get footers */
              if (r->read_body == REQUEST_CHUNKED_DECHUNK) {
                  get_mime_headers(r);
!                 ap_snprintf(buffer, bufsiz, "%ld", r->read_length);
                  table_unset(r->headers_in, "Transfer-Encoding");
                  table_set(r->headers_in, "Content-Length", buffer);
                  return 0;
***************
*** 1659,1666 ****
  
          if (recursive_error) {
  	    char x[80];
! 	    sprintf (x, "Additionally, an error of type %d was encountered\n",
! 		     recursive_error);
  	    bputs(x, fd);
  	    bputs("while trying to use an ErrorDocument to\n", fd);
  	    bputs("handle the request.\n", fd);
--- 1661,1669 ----
  
          if (recursive_error) {
  	    char x[80];
! 	    ap_snprintf (x, sizeof(x), 
! 		"Additionally, an error of type %d was encountered\n",
! 		recursive_error);
  	    bputs(x, fd);
  	    bputs("while trying to use an ErrorDocument to\n", fd);
  	    bputs("handle the request.\n", fd);
Index: http_request.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/http_request.c,v
retrieving revision 1.37
diff -c -r1.37 http_request.c
*** http_request.c	1997/01/14 05:03:06	1.37
--- http_request.c	1997/01/18 07:50:07
***************
*** 999,1005 ****
  request_rec *internal_internal_redirect (const char *new_uri, request_rec *r)
  {
      request_rec *new = (request_rec *)pcalloc(r->pool, sizeof(request_rec));
!     char t[10];			/* Long enough... */
    
      new->connection = r->connection;
      new->server = r->server;
--- 999,1005 ----
  request_rec *internal_internal_redirect (const char *new_uri, request_rec *r)
  {
      request_rec *new = (request_rec *)pcalloc(r->pool, sizeof(request_rec));
!     char t[256];		/* Long enough... */
    
      new->connection = r->connection;
      new->server = r->server;
***************
*** 1045,1051 ****
  				  */
      new->no_local_copy = r->no_local_copy;
  
!     sprintf (t, "%d", r->status);
      table_set (new->subprocess_env, "REDIRECT_STATUS", pstrdup (r->pool, t));
  
      return new;
--- 1045,1051 ----
  				  */
      new->no_local_copy = r->no_local_copy;
  
!     ap_snprintf (t, sizeof(t), "%d", r->status);
      table_set (new->subprocess_env, "REDIRECT_STATUS", pstrdup (r->pool, t));
  
      return new;
Index: mod_auth.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth.c,v
retrieving revision 1.11
diff -c -r1.11 mod_auth.c
*** mod_auth.c	1997/01/01 18:10:26	1.11
--- mod_auth.c	1997/01/12 07:35:05
***************
*** 198,211 ****
      if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) {
  	if (!(sec->auth_authoritative))
  	    return DECLINED;
!         sprintf(errstr,"user %s not found",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
      }
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         sprintf(errstr,"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 198,211 ----
      if (!(real_pw = get_pw(r, c->user, sec->auth_pwfile))) {
  	if (!(sec->auth_authoritative))
  	    return DECLINED;
!         ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
      }
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
Index: mod_auth_anon.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_anon.c,v
retrieving revision 1.12
diff -c -r1.12 mod_auth_anon.c
*** mod_auth_anon.c	1997/01/01 18:10:27	1.12
--- mod_auth_anon.c	1997/01/12 07:35:43
***************
*** 239,252 ****
  	  ) 
  	) {
        if (sec->auth_anon_logemail) {
! 	sprintf(errstr,"Anonymous: Passwd <%s> Accepted", 
  			send_pw ? send_pw : "\'none\'");
  	log_error (errstr, r->server );
        }
        return OK;
      } else {
          if (sec->auth_anon_authoritative) {
! 	sprintf(errstr,"Anonymous: Authoritative, Passwd <%s> not accepted",
  		send_pw ? send_pw : "\'none\'");
  	log_error(errstr,r->server);
  	return AUTH_REQUIRED;
--- 239,253 ----
  	  ) 
  	) {
        if (sec->auth_anon_logemail) {
! 	ap_snprintf(errstr, sizeof(errstr), "Anonymous: Passwd <%s> Accepted", 
  			send_pw ? send_pw : "\'none\'");
  	log_error (errstr, r->server );
        }
        return OK;
      } else {
          if (sec->auth_anon_authoritative) {
! 	ap_snprintf(errstr, sizeof(errstr),
! 		"Anonymous: Authoritative, Passwd <%s> not accepted",
  		send_pw ? send_pw : "\'none\'");
  	log_error(errstr,r->server);
  	return AUTH_REQUIRED;
Index: mod_auth_db.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_db.c,v
retrieving revision 1.9
diff -c -r1.9 mod_auth_db.c
*** mod_auth_db.c	1997/01/01 18:10:27	1.9
--- mod_auth_db.c	1997/01/12 07:38:10
***************
*** 201,207 ****
      if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) {
  	if (!(sec -> auth_dbauthoritative))
  	    return DECLINED; 
!         sprintf(errstr,"DB user %s not found", c->user);
  	log_reason (errstr, r->filename, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 201,207 ----
      if(!(real_pw = get_db_pw(r, c->user, sec->auth_dbpwfile))) {
  	if (!(sec -> auth_dbauthoritative))
  	    return DECLINED; 
!         ap_snprintf(errstr, sizeof(errstr), "DB user %s not found", c->user);
  	log_reason (errstr, r->filename, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 211,217 ****
      if (colon_pw) *colon_pw='\0';   
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         sprintf(errstr,"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 211,218 ----
      if (colon_pw) *colon_pw='\0';   
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         ap_snprintf(errstr, sizeof(errstr), 
! 		"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 253,260 ****
             if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
  	       if (!(sec->auth_dbauthoritative))
  		 return DECLINED;
!                sprintf(errstr,"user %s not in DB group file %s",
! 		       user, sec->auth_dbgrpfile);
  	       log_reason (errstr, r->filename, r);
  	       note_basic_auth_failure (r);
  	       return AUTH_REQUIRED;
--- 254,262 ----
             if (!(groups = get_db_grp(r, user, sec->auth_dbgrpfile))) {
  	       if (!(sec->auth_dbauthoritative))
  		 return DECLINED;
!                ap_snprintf(errstr, sizeof(errstr), 
! 			"user %s not in DB group file %s",
! 			user, sec->auth_dbgrpfile);
  	       log_reason (errstr, r->filename, r);
  	       note_basic_auth_failure (r);
  	       return AUTH_REQUIRED;
***************
*** 269,275 ****
                         return OK;
                 }
             }
!            sprintf(errstr,"user %s not in right group",user);
  	   log_reason (errstr, r->filename, r);
             note_basic_auth_failure(r);
  	   return AUTH_REQUIRED;
--- 271,278 ----
                         return OK;
                 }
             }
!            ap_snprintf(errstr, sizeof(errstr), 
! 		"user %s not in right group",user);
  	   log_reason (errstr, r->filename, r);
             note_basic_auth_failure(r);
  	   return AUTH_REQUIRED;
Index: mod_auth_dbm.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision 1.12
diff -c -r1.12 mod_auth_dbm.c
*** mod_auth_dbm.c	1997/01/01 18:10:28	1.12
--- mod_auth_dbm.c	1997/01/12 07:39:16
***************
*** 189,195 ****
      if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) {
  	if (!(sec->auth_dbmauthoritative))
  	    return DECLINED;
!         sprintf(errstr,"DBM user %s not found", c->user);
  	log_reason (errstr, r->filename, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 189,195 ----
      if(!(real_pw = get_dbm_pw(r, c->user, sec->auth_dbmpwfile))) {
  	if (!(sec->auth_dbmauthoritative))
  	    return DECLINED;
!         ap_snprintf(errstr, sizeof(errstr), "DBM user %s not found", c->user);
  	log_reason (errstr, r->filename, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 199,205 ****
      if (colon_pw) *colon_pw='\0';   
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         sprintf(errstr,"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 199,206 ----
      if (colon_pw) *colon_pw='\0';   
      /* anyone know where the prototype for crypt is? */
      if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
!         ap_snprintf(errstr, sizeof(errstr), 
! 		"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 241,248 ****
             if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) {
  	       if (!(sec->auth_dbmauthoritative))
  	           return DECLINED;
!                sprintf(errstr,"user %s not in DBM group file %s",
! 		       user, sec->auth_dbmgrpfile);
  	       log_reason (errstr, r->filename, r);
  	       note_basic_auth_failure (r);
  	       return AUTH_REQUIRED;
--- 242,250 ----
             if (!(groups = get_dbm_grp(r, user, sec->auth_dbmgrpfile))) {
  	       if (!(sec->auth_dbmauthoritative))
  	           return DECLINED;
!                ap_snprintf(errstr, sizeof(errstr), 
! 			"user %s not in DBM group file %s",
! 			user, sec->auth_dbmgrpfile);
  	       log_reason (errstr, r->filename, r);
  	       note_basic_auth_failure (r);
  	       return AUTH_REQUIRED;
***************
*** 257,263 ****
                         return OK;
                 }
             }
!            sprintf(errstr,"user %s not in right group",user);
  	   log_reason (errstr, r->filename, r);
             note_basic_auth_failure(r);
  	   return AUTH_REQUIRED;
--- 259,266 ----
                         return OK;
                 }
             }
!            ap_snprintf(errstr, sizeof(errstr), 
! 		"user %s not in right group",user);
  	   log_reason (errstr, r->filename, r);
             note_basic_auth_failure(r);
  	   return AUTH_REQUIRED;
Index: mod_auth_msql.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_auth_msql.c,v
retrieving revision 1.17
diff -c -r1.17 mod_auth_msql.c
*** mod_auth_msql.c	1997/01/01 18:10:28	1.17
--- mod_auth_msql.c	1997/01/12 07:49:35
***************
*** 560,566 ****
  
        /* does this fit ? */
        if (j >= (MAX_FIELD_LEN-1)) {
! 	sprintf(msql_errstr,"Could not escape '%s', longer than %d",in,MAX_FIELD_LEN);
  	return NULL;
  	};
  
--- 560,567 ----
  
        /* does this fit ? */
        if (j >= (MAX_FIELD_LEN-1)) {
! 	ap_snprintf(msql_errstr, MAX_STRING_LENGTH, 
! 		"Could not escape '%s', longer than %d",in,MAX_FIELD_LEN);
  	return NULL;
  	};
  
***************
*** 601,607 ****
  	/* (re) open if nessecary
  	 */
      	if (sock==-1) if ((sock=msqlConnect(host)) == -1) {
! 		sprintf (msql_errstr,
  			"mSQL: Could not connect to Msql DB %s (%s)",
  			(sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg);
--- 602,608 ----
  	/* (re) open if nessecary
  	 */
      	if (sock==-1) if ((sock=msqlConnect(host)) == -1) {
! 		ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Could not connect to Msql DB %s (%s)",
  			(sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg);
***************
*** 612,618 ****
  	 * and is quite cheap anyway
  	 */
      	if (msqlSelectDB(sock,sec->auth_msql_database) == -1 ) {
! 		sprintf (msql_errstr,"mSQL: Could not select Msql Table \'%s\' on host \'%s\'(%s)",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg);
--- 613,620 ----
  	 * and is quite cheap anyway
  	 */
      	if (msqlSelectDB(sock,sec->auth_msql_database) == -1 ) {
! 		ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
! 			"mSQL: Could not select Msql Table \'%s\' on host \'%s\'(%s)",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg);
***************
*** 622,628 ****
  		}
  
      	if (msqlQuery(sock,query) == -1 ) {
! 		sprintf (msql_errstr,"mSQL: Could not Query database '%s' on host '%s' (%s) with query [%s]",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  		        msqlErrMsg,
--- 624,631 ----
  		}
  
      	if (msqlQuery(sock,query) == -1 ) {
! 		ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
! 			"mSQL: Could not Query database '%s' on host '%s' (%s) with query [%s]",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  		        msqlErrMsg,
***************
*** 633,639 ****
  		}
  
  	if (!(results=msqlStoreResult())) {
! 		sprintf (msql_errstr,"mSQL: Could not get the results from mSQL database \'%s\' on \'%s\' (%s) with query [%s]",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg,
--- 636,643 ----
  		}
  
  	if (!(results=msqlStoreResult())) {
! 		ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
! 			"mSQL: Could not get the results from mSQL database \'%s\' on \'%s\' (%s) with query [%s]",
  			(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  		        (sec->auth_msql_host ? sec->auth_msql_host : "\'unset, assuming localhost!\'"),
  			msqlErrMsg,
***************
*** 649,656 ****
            /* complain if there are to many
             * matches.
             */
!           sprintf (msql_errstr,"mSQL: More than %d matches (%d) whith query [%s]",
!           	   once,hit,( query ? query : "\'unset!\'") );
  	} else
  	/* if we have a it, try to get it
  	*/
--- 653,661 ----
            /* complain if there are to many
             * matches.
             */
!           ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
! 		"mSQL: More than %d matches (%d) whith query [%s]",
!          	once,hit,( query ? query : "\'unset!\'") );
  	} else
  	/* if we have a it, try to get it
  	*/
***************
*** 658,664 ****
  		if ( (currow=msqlFetchRow(results)) != NULL) {
  			/* copy the first matching field value */
  			if (!(result=palloc(r->pool,strlen(currow[0])+1))) {
! 				sprintf (msql_errstr,"mSQL: Could not get memory for mSQL %s (%s) with [%s]",
  					(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  					msqlErrMsg,
  					( query ? query : "\'unset!\'") );
--- 663,670 ----
  		if ( (currow=msqlFetchRow(results)) != NULL) {
  			/* copy the first matching field value */
  			if (!(result=palloc(r->pool,strlen(currow[0])+1))) {
! 				ap_snprintf (msql_errstr, MAX_STRING_LENGTH,
! 					"mSQL: Could not get memory for mSQL %s (%s) with [%s]",
  					(sec->auth_msql_database ? sec->auth_msql_database : "\'unset!\'"),
  					msqlErrMsg,
  					( query ? query : "\'unset!\'") );
***************
*** 695,701 ****
  	    (!sec->auth_msql_pwd_field) ||
  	    (!sec->auth_msql_uname_field)
  	   ) {
! 		sprintf(msql_errstr,
  			"mSQL: Missing parameters for password lookup: %s%s%s",
  			(sec->auth_msql_pwd_table ? "" : "Password table "),
  			(sec->auth_msql_pwd_field ? "" : "Password field name "),
--- 701,707 ----
  	    (!sec->auth_msql_pwd_field) ||
  	    (!sec->auth_msql_uname_field)
  	   ) {
! 		ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Missing parameters for password lookup: %s%s%s",
  			(sec->auth_msql_pwd_table ? "" : "Password table "),
  			(sec->auth_msql_pwd_field ? "" : "Password field name "),
***************
*** 705,715 ****
  		};
  
      	if (!(msql_escape(esc_user, user, msql_errstr))) {
! 		sprintf(msql_errstr,
  			"mSQL: Could not cope/escape the '%s' user_id value; ",user);
  		return NULL;
      	};
!     	sprintf(query,"select %s from %s where %s='%s'",
  		sec->auth_msql_pwd_field,
  		sec->auth_msql_pwd_table,
  		sec->auth_msql_uname_field,
--- 711,722 ----
  		};
  
      	if (!(msql_escape(esc_user, user, msql_errstr))) {
! 		ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Could not cope/escape the '%s' user_id value; ",user);
  		return NULL;
      	};
!     	ap_snprintf(query, sizeof(query),
! 		"select %s from %s where %s='%s'",
  		sec->auth_msql_pwd_field,
  		sec->auth_msql_pwd_table,
  		sec->auth_msql_uname_field,
***************
*** 731,737 ****
  	    (!sec->auth_msql_grp_field) ||
  	    (!sec->auth_msql_uname_field)
  	   ) {
! 		sprintf(msql_errstr,
  			"mSQL: Missing parameters for group lookup: %s%s%s",
  			(sec->auth_msql_grp_table ? "" : "Group table "),
  			(sec->auth_msql_grp_field ? "" : "GroupID field name "),
--- 738,744 ----
  	    (!sec->auth_msql_grp_field) ||
  	    (!sec->auth_msql_uname_field)
  	   ) {
! 		ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Missing parameters for group lookup: %s%s%s",
  			(sec->auth_msql_grp_table ? "" : "Group table "),
  			(sec->auth_msql_grp_field ? "" : "GroupID field name "),
***************
*** 741,759 ****
  		};
  
      	if (!(msql_escape(esc_user, user,msql_errstr))) {
! 		sprintf(msql_errstr,
  			"mSQL: Could not cope/escape the '%s' user_id value",user);
  
  		return NULL;
      	};
      	if (!(msql_escape(esc_group, group,msql_errstr))) {
! 		sprintf(msql_errstr,
  			"mSQL: Could not cope/escape the '%s' group_id value",group);
  
  		return NULL;
      	};
  
!     	sprintf(query,"select %s from %s where %s='%s' and %s='%s'",
  		sec->auth_msql_grp_field,
  		sec->auth_msql_grp_table,
  		sec->auth_msql_uname_field,esc_user,
--- 748,767 ----
  		};
  
      	if (!(msql_escape(esc_user, user,msql_errstr))) {
! 		ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Could not cope/escape the '%s' user_id value",user);
  
  		return NULL;
      	};
      	if (!(msql_escape(esc_group, group,msql_errstr))) {
! 		ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
  			"mSQL: Could not cope/escape the '%s' group_id value",group);
  
  		return NULL;
      	};
  
!     	ap_snprintf(query, sizeof(query), 
! 		"select %s from %s where %s='%s' and %s='%s'",
  		sec->auth_msql_grp_field,
  		sec->auth_msql_grp_table,
  		sec->auth_msql_uname_field,esc_user,
***************
*** 770,775 ****
--- 778,786 ----
        (msql_auth_config_rec *)get_module_config (r->per_dir_config,
  						&msql_auth_module);
      char msql_errstr[MAX_STRING_LEN];
+         /* msql_errstr must be MAX_STRING_LEN in size unless you
+          * change size in ap_snprintf() calls
+          */
      conn_rec *c = r->connection;
      char *sent_pw, *real_pw;
      int res;
***************
*** 795,801 ****
  		if (sec->auth_msql_authoritative) {
            	   /* insist that the user is in the database
            	    */
!           	   sprintf(msql_errstr,"mSQL: Password for user %s not found", c->user);
  		   note_basic_auth_failure (r);
  		   res = AUTH_REQUIRED;
  		   } else {
--- 806,813 ----
  		if (sec->auth_msql_authoritative) {
            	   /* insist that the user is in the database
            	    */
!           	   ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
! 			"mSQL: Password for user %s not found", c->user);
  		   note_basic_auth_failure (r);
  		   res = AUTH_REQUIRED;
  		   } else {
***************
*** 814,820 ****
  
      if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) {
  /*
!         sprintf(msql_errstr,"mSQL: user %s: Empty/'any' password accepted",c->user);
  	log_reason (msql_errstr, r->uri, r);
   */
  	return OK;
--- 826,833 ----
  
      if ((sec->auth_msql_nopasswd) && (!strlen(real_pw))) {
  /*
!         ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
! 		"mSQL: user %s: Empty/'any' password accepted",c->user);
  	log_reason (msql_errstr, r->uri, r);
   */
  	return OK;
***************
*** 824,830 ****
       * an arms length.
       */
      if ((!strlen(real_pw)) || (!strlen(sent_pw))) {
!         sprintf(msql_errstr,"mSQL: user %s: Empty Password(s) Rejected",c->user);
  	log_reason (msql_errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 837,844 ----
       * an arms length.
       */
      if ((!strlen(real_pw)) || (!strlen(sent_pw))) {
!         ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
! 		"mSQL: user %s: Empty Password(s) Rejected",c->user);
  	log_reason (msql_errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 842,848 ****
          };
  
      if (strcmp(real_pw,sent_pw)) {
!         sprintf(msql_errstr,"mSQL user %s: password mismatch",c->user);
  	log_reason (msql_errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
--- 856,863 ----
          };
  
      if (strcmp(real_pw,sent_pw)) {
!         ap_snprintf(msql_errstr, MAX_STRING_LENGTH,
! 		"mSQL user %s: password mismatch",c->user);
  	log_reason (msql_errstr, r->uri, r);
  	note_basic_auth_failure (r);
  	return AUTH_REQUIRED;
***************
*** 859,864 ****
--- 874,882 ----
        (msql_auth_config_rec *)get_module_config (r->per_dir_config,
  						&msql_auth_module);
      char msql_errstr[MAX_STRING_LEN];
+ 	/* msql_errstr must be MAX_STRING_LEN in size unless you
+ 	 * change size in ap_snprintf() calls
+ 	 */
      char *user = r->connection->user;
      int m = r->method_number;
      array_header *reqs_arr = requires (r);
***************
*** 873,879 ****
  
      if (!reqs_arr) {
  	if (sec->auth_msql_authoritative) {
! 	        sprintf(msql_errstr,"user %s denied, no access rules specified (MSQL-Authoritative) ",user);
  		log_reason (msql_errstr, r->uri, r);
  	        note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
--- 891,897 ----
  
      if (!reqs_arr) {
  	if (sec->auth_msql_authoritative) {
! 	        ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "user %s denied, no access rules specified (MSQL-Authoritative) ",user);
  		log_reason (msql_errstr, r->uri, r);
  	        note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
***************
*** 898,904 ****
  		};
              }
  	    if ((sec->auth_msql_authoritative) && ( user_result != OK)) {
!            	sprintf(msql_errstr,"User %s not found (MSQL-Auhtorative)",user);
  		log_reason (msql_errstr, r->uri, r);
             	note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
--- 916,922 ----
  		};
              }
  	    if ((sec->auth_msql_authoritative) && ( user_result != OK)) {
!            	ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "User %s not found (MSQL-Auhtorative)",user);
  		log_reason (msql_errstr, r->uri, r);
             	note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
***************
*** 926,932 ****
  		};
  
  	   if ( (sec->auth_msql_authoritative) && (group_result != OK) ) {
!            	sprintf(msql_errstr,"user %s not in right groups (MSQL-Authoritative) ",user);
  		log_reason (msql_errstr, r->uri, r);
             	note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
--- 944,950 ----
  		};
  
  	   if ( (sec->auth_msql_authoritative) && (group_result != OK) ) {
!            	ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "user %s not in right groups (MSQL-Authoritative) ",user);
  		log_reason (msql_errstr, r->uri, r);
             	note_basic_auth_failure(r);
  		return AUTH_REQUIRED;
***************
*** 943,949 ****
       * This really is not needed.
       */
      if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) {
!         sprintf(msql_errstr,"mSQL-Authoritative: Access denied on %s %s rule(s) ", 
  		(group_result == AUTH_REQUIRED) ? "USER" : "", 
  		(user_result == AUTH_REQUIRED) ? "GROUP" : ""
  		);
--- 961,967 ----
       * This really is not needed.
       */
      if (((group_result == AUTH_REQUIRED) || (user_result == AUTH_REQUIRED)) && (sec->auth_msql_authoritative) ) {
!         ap_snprintf(msql_errstr, MAX_STRING_LENGTH, "mSQL-Authoritative: Access denied on %s %s rule(s) ", 
  		(group_result == AUTH_REQUIRED) ? "USER" : "", 
  		(user_result == AUTH_REQUIRED) ? "GROUP" : ""
  		);
Index: mod_cgi.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.27
diff -c -r1.27 mod_cgi.c
*** mod_cgi.c	1997/01/01 18:10:30	1.27
--- mod_cgi.c	1997/01/12 07:50:20
***************
*** 331,337 ****
       * now, so that's what we use).
       */
      
!     sprintf(err_string,
  	    "exec of %s failed, errno is %d\n", r->filename, errno);
      write(2, err_string, strlen(err_string));
      exit(0);
--- 331,337 ----
       * now, so that's what we use).
       */
      
!     ap_snprintf(err_string, sizeof(err_string),
  	    "exec of %s failed, errno is %d\n", r->filename, errno);
      write(2, err_string, strlen(err_string));
      exit(0);
Index: mod_digest.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_digest.c,v
retrieving revision 1.12
diff -c -r1.12 mod_digest.c
*** mod_digest.c	1997/01/01 18:10:30	1.12
--- mod_digest.c	1997/01/12 22:33:39
***************
*** 277,290 ****
          return DECLINED;
  	
      if (!(a1 = get_hash(r, c->user, sec->pwfile))) {
!         sprintf(errstr,"user %s not found",c->user);
  	log_reason (errstr, r->uri, r);
  	note_digest_auth_failure (r);
  	return AUTH_REQUIRED;
      }
      /* anyone know where the prototype for crypt is? */
      if(strcmp(response->digest, find_digest(r, response, a1))) {
!         sprintf(errstr,"user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_digest_auth_failure (r);
  	return AUTH_REQUIRED;
--- 277,290 ----
          return DECLINED;
  	
      if (!(a1 = get_hash(r, c->user, sec->pwfile))) {
!         ap_snprintf(errstr, sizeof(errstr), "user %s not found",c->user);
  	log_reason (errstr, r->uri, r);
  	note_digest_auth_failure (r);
  	return AUTH_REQUIRED;
      }
      /* anyone know where the prototype for crypt is? */
      if(strcmp(response->digest, find_digest(r, response, a1))) {
!         ap_snprintf(errstr, sizeof(errstr), "user %s: password mismatch",c->user);
  	log_reason (errstr, r->uri, r);
  	note_digest_auth_failure (r);
  	return AUTH_REQUIRED;
Index: mod_expires.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_expires.c,v
retrieving revision 1.5
diff -c -r1.5 mod_expires.c
*** mod_expires.c	1997/01/01 18:10:32	1.5
--- mod_expires.c	1997/01/18 07:43:12
***************
*** 321,327 ****
  	word = getword_conf( pool, &code );
      };
  
!     sprintf( foo, "%c%d", base, modifier );
      *real_code = pstrdup( pool, foo );
  
      return NULL;
--- 321,327 ----
  	word = getword_conf( pool, &code );
      };
  
!     ap_snprintf(foo, sizeof(foo), "%c%d", base, modifier );
      *real_code = pstrdup( pool, foo );
  
      return NULL;
Index: mod_imap.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_imap.c,v
retrieving revision 1.14
diff -c -r1.14 mod_imap.c
*** mod_imap.c	1997/01/01 18:10:33	1.14
--- mod_imap.c	1997/01/12 23:12:14
***************
*** 354,360 ****
    return(string - starting_pos); /* return the total characters read */
  }
  
! 
  void imap_url(request_rec *r, char *base, char *value, char *url) 
  {
  /* translates a value into a URL. */
--- 354,362 ----
    return(string - starting_pos); /* return the total characters read */
  }
  
! /*
!  * url needs to point to a string with at least SMALLBUF memory allocated
!  */
  void imap_url(request_rec *r, char *base, char *value, char *url) 
  {
  /* translates a value into a URL. */
***************
*** 366,389 ****
  
    if ( ! strcasecmp(value, "map" ) || ! strcasecmp(value, "menu") ) {
      if (r->server->port == 80 ) { 
!       sprintf(url, "http://%s%s", r->server->server_hostname, r->uri);
      }
      else {
!       sprintf(url, "http://%s:%d%s", r->server->server_hostname,
  	      r->server->port, r->uri);      
      }
      return;  
    }
  
    if ( ! strcasecmp(value, "nocontent") || ! strcasecmp(value, "error") ) {
!     strncpy(url, value, SMALLBUF);
      return;    /* these are handled elsewhere, so just copy them */
    }
  
    if ( ! strcasecmp(value, "referer" ) ) {
      referer = table_get(r->headers_in, "Referer");
      if ( referer && *referer ) {
!       strncpy(url, referer, SMALLBUF);
        return;
      }
      else {
--- 368,394 ----
  
    if ( ! strcasecmp(value, "map" ) || ! strcasecmp(value, "menu") ) {
      if (r->server->port == 80 ) { 
!       ap_snprintf(url, SMALLBUF,
! 		"http://%s%s", r->server->server_hostname, r->uri);
      }
      else {
!       ap_snprintf(url, SMALLBUF, "http://%s:%d%s", r->server->server_hostname,
  	      r->server->port, r->uri);      
      }
      return;  
    }
  
    if ( ! strcasecmp(value, "nocontent") || ! strcasecmp(value, "error") ) {
!     strncpy(url, value, SMALLBUF-1);
!     url[SMALLBUF-1] = '\0';
      return;    /* these are handled elsewhere, so just copy them */
    }
  
    if ( ! strcasecmp(value, "referer" ) ) {
      referer = table_get(r->headers_in, "Referer");
      if ( referer && *referer ) {
!       strncpy(url, referer, SMALLBUF-1);
!       url[SMALLBUF-1] = '\0';
        return;
      }
      else {
***************
*** 395,421 ****
    while ( isalpha(*string_pos) )
      string_pos++;    /* go along the URL from the map until a non-letter */
    if ( *string_pos == ':' ) { 
!     strncpy(url, value, SMALLBUF);        /* if letters and then a colon (like http:) */
      return;                    /* it's an absolute URL, so use it! */
    }
  
    if ( ! base || ! *base ) {
      if ( value && *value ) {  
!       strncpy(url, value, SMALLBUF);   /* no base: use what is given */
      }         
      else {                  
        if (r->server->port == 80 ) {  
! 	sprintf(url, "http://%s/", r->server->server_hostname);
        }            
        if (r->server->port != 80 ) {
! 	sprintf(url, "http://%s:%d/", r->server->server_hostname, 
! 		r->server->port);
        }                     /* no base, no value: pick a simple default */
      }
      return;  
    }
  
!   strncpy(my_base, base, SMALLBUF);  /* must be a relative URL to be combined with base */
    string_pos = my_base; 
    while (*string_pos) {  
      if (*string_pos == '/' && *(string_pos+1) == '/') {
--- 400,429 ----
    while ( isalpha(*string_pos) )
      string_pos++;    /* go along the URL from the map until a non-letter */
    if ( *string_pos == ':' ) { 
!     strncpy(url, value, SMALLBUF-1);        /* if letters and then a colon (like http:) */
!     url[SMALLBUF-1] = '\0';
      return;                    /* it's an absolute URL, so use it! */
    }
  
    if ( ! base || ! *base ) {
      if ( value && *value ) {  
!       strncpy(url, value, SMALLBUF-1);   /* no base: use what is given */
!       url[SMALLBUF-1] = '\0';
      }         
      else {                  
        if (r->server->port == 80 ) {  
! 	ap_snprintf(url, SMALLBUF, "http://%s/", r->server->server_hostname);
        }            
        if (r->server->port != 80 ) {
! 	ap_snprintf(url, SMALLBUF, "http://%s:%d/",
! 		r->server->server_hostname, r->server->port);
        }                     /* no base, no value: pick a simple default */
      }
      return;  
    }
  
!   strncpy(my_base, base, sizeof(my_base)-1);  /* must be a relative URL to be combined with base */
!   my_base[sizeof(my_base)-1] = '\0';
    string_pos = my_base; 
    while (*string_pos) {  
      if (*string_pos == '/' && *(string_pos+1) == '/') {
***************
*** 473,482 ****
    }                   /* by this point, value does not start with '..' */
  
    if ( value && *value ) {
!     sprintf(url, "%s%s", my_base, value);   
    }
    else {
!     sprintf(url, "%s", my_base);   
    }
    return;
  }
--- 481,490 ----
    }                   /* by this point, value does not start with '..' */
  
    if ( value && *value ) {
!     ap_snprintf(url, SMALLBUF, "%s%s", my_base, value);   
    }
    else {
!     ap_snprintf(url, SMALLBUF, "%s", my_base);   
    }
    return;
  }
***************
*** 600,605 ****
--- 608,616 ----
  int imap_handler(request_rec *r)
  {
    char input[LARGEBUF] = {'\0'};
+ 	/* size of input can not be lowered without changing hard-coded
+ 	 * checks
+ 	 */
    char href_text[SMALLBUF] = {'\0'};
    char base[SMALLBUF] = {'\0'};
    char redirect[SMALLBUF] = {'\0'};
***************
*** 675,681 ****
      } /* blank lines and comments are ignored if we aren't printing a menu */
  
  
!     if (sscanf(input, "%s %s", directive, value) != 2) {
        continue;                           /* make sure we read two fields */
      }
      /* Now skip what we just read... we can't use ANSIism %n */
--- 686,692 ----
      } /* blank lines and comments are ignored if we aren't printing a menu */
  
  
!     if (sscanf(input, "%.200s %.200s", directive, value) != 2) {
        continue;                           /* make sure we read two fields */
      }
      /* Now skip what we just read... we can't use ANSIism %n */
***************
*** 698,704 ****
        imap_url(r, NULL, value, mapdflt);
        if (showmenu) {              /* print the default if there's a menu */
  	if (! *href_text) {           /* if we didn't find a "href text" */
! 	  strncpy(href_text, mapdflt, SMALLBUF); /* use the href itself as text */
  	}
  	imap_url(r, base, mapdflt, redirect); 
  	menu_default(r, imap_menu, redirect, href_text);
--- 709,716 ----
        imap_url(r, NULL, value, mapdflt);
        if (showmenu) {              /* print the default if there's a menu */
  	if (! *href_text) {           /* if we didn't find a "href text" */
! 	  strncpy(href_text, mapdflt, sizeof(href_text)-1); /* use the href itself as text */
! 	  href_text[sizeof(href_text)-1] = '\0';
  	}
  	imap_url(r, base, mapdflt, redirect); 
  	menu_default(r, imap_menu, redirect, href_text);
***************
*** 729,735 ****
      if (showmenu) {
        read_quoted(string_pos, href_text); /* href text could be here instead */
        if (! *href_text) {           /* if we didn't find a "href text" */
! 	strncpy(href_text, value, SMALLBUF);  /* use the href itself in the menu */
        }
        imap_url(r, base, value, redirect); 
        menu_directive(r, imap_menu, redirect, href_text);
--- 741,748 ----
      if (showmenu) {
        read_quoted(string_pos, href_text); /* href text could be here instead */
        if (! *href_text) {           /* if we didn't find a "href text" */
! 	strncpy(href_text, value, sizeof(href_text)-1);  /* use the href itself in the menu */
! 	href_text[sizeof(href_text)-1] = '\0';
        }
        imap_url(r, base, value, redirect); 
        menu_directive(r, imap_menu, redirect, href_text);
***************
*** 774,780 ****
      if ( ! strcasecmp(directive, "point" ) ) {         /* point */
        
        if (is_closer(testpoint, pointarray, &closest_yet) ) {
! 	strncpy(closest, value, SMALLBUF);  /* if the closest point yet save it */
        }
        
        continue;    
--- 787,794 ----
      if ( ! strcasecmp(directive, "point" ) ) {         /* point */
        
        if (is_closer(testpoint, pointarray, &closest_yet) ) {
! 	strncpy(closest, value, sizeof(closest)-1);  /* if the closest point yet save it */
! 	closest[sizeof(closest)-1] = '\0';
        }
        
        continue;    
Index: mod_include.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_include.c,v
retrieving revision 1.20
diff -c -r1.20 mod_include.c
*** mod_include.c	1997/01/01 18:10:35	1.20
--- mod_include.c	1997/01/18 07:48:20
***************
*** 98,104 ****
        table_set(e, "USER_NAME", pw->pw_name);
      } else {
        char uid[16];
!       sprintf(uid, "user#%lu", (unsigned long)r->finfo.st_uid);
        table_set(e, "USER_NAME", uid);
      }
  
--- 98,104 ----
        table_set(e, "USER_NAME", pw->pw_name);
      } else {
        char uid[16];
!       ap_snprintf(uid, sizeof(uid), "user#%lu", (unsigned long)r->finfo.st_uid);
        table_set(e, "USER_NAME", uid);
      }
  
***************
*** 261,267 ****
  		GET_CHAR(in,c,NULL,p);
  	    } while (isspace(c));
              if(c == '>') {
!                 strcpy(tag,"done");
                  return tag;
              }
          }
--- 261,268 ----
  		GET_CHAR(in,c,NULL,p);
  	    } while (isspace(c));
              if(c == '>') {
!                 strncpy(tag,"done", tagbuf_len-1);
! 		tag[tagbuf_len-1] = '\0';
                  return tag;
              }
          }
***************
*** 462,468 ****
  	    if (tag[0] == 'f')
  	    { /* be safe; only files in this directory or below allowed */
  		char tmp[MAX_STRING_LEN+2];
! 		sprintf(tmp, "/%s/", parsed_string);
  		if (parsed_string[0] == '/' || strstr(tmp, "/../") != NULL)
  		    error_fmt = "unable to include file %s in parsed file %s";
  		else
--- 463,469 ----
  	    if (tag[0] == 'f')
  	    { /* be safe; only files in this directory or below allowed */
  		char tmp[MAX_STRING_LEN+2];
! 		ap_snprintf(tmp, sizeof(tmp), "/%s/", parsed_string);
  		if (parsed_string[0] == '/' || strstr(tmp, "/../") != NULL)
  		    error_fmt = "unable to include file %s in parsed file %s";
  		else
***************
*** 567,574 ****
  #ifdef DEBUG_INCLUDE_CMD    
      fprintf (dbg, "Exec failed\n");
  #endif    
!     sprintf(err_string, "httpd: exec of %s failed, errno is %d\n",
! 	    SHELL_PATH,errno);
      write (2, err_string, strlen(err_string));
      exit(0);
  }
--- 568,576 ----
  #ifdef DEBUG_INCLUDE_CMD    
      fprintf (dbg, "Exec failed\n");
  #endif    
!     ap_snprintf(err_string, sizeof(err_string),
! 	"httpd: exec of %s failed, errno is %d\n",
! 	SHELL_PATH,errno);
      write (2, err_string, strlen(err_string));
      exit(0);
  }
***************
*** 653,658 ****
--- 655,663 ----
      }
  }
  
+ /* error and tf must point to a string with room for at 
+  * least MAX_STRING_LEN characters 
+  */
  int handle_config(FILE *in, request_rec *r, char *error, char *tf,
                    int *sizefmt) {
      char tag[MAX_STRING_LEN];
***************
*** 665,675 ****
              return 1;
          if(!strcmp(tag,"errmsg")) {
              parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0);
!             strcpy(error,parsed_string);
          } else if(!strcmp(tag,"timefmt")) {
    	    time_t date = r->request_time;
              parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0);
!             strcpy(tf,parsed_string);
              table_set (env, "DATE_LOCAL", ht_time(r->pool,date,tf,0));
              table_set (env, "DATE_GMT", ht_time(r->pool,date,tf,1));
              table_set (env, "LAST_MODIFIED", ht_time(r->pool,r->finfo.st_mtime,tf,0));
--- 670,682 ----
              return 1;
          if(!strcmp(tag,"errmsg")) {
              parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0);
!             strncpy(error,parsed_string,MAX_STRING_LEN-1);
! 	    error[MAX_STRING_LEN-1] = '\0';
          } else if(!strcmp(tag,"timefmt")) {
    	    time_t date = r->request_time;
              parse_string(r, tag_val, parsed_string, MAX_STRING_LEN, 0);
!             strncpy(tf,parsed_string,MAX_STRING_LEN-1);
! 	    tf[MAX_STRING_LEN-1] = '\0';
              table_set (env, "DATE_LOCAL", ht_time(r->pool,date,tf,0));
              table_set (env, "DATE_GMT", ht_time(r->pool,date,tf,1));
              table_set (env, "LAST_MODIFIED", ht_time(r->pool,r->finfo.st_mtime,tf,0));
***************
*** 759,767 ****
                  else {
                      int l,x;
  #if defined(BSD) && BSD > 199305
!                     sprintf(tag,"%qd",finfo.st_size);
  #else
!                     sprintf(tag,"%ld",finfo.st_size);
  #endif
                      l = strlen(tag); /* grrr */
                      for(x=0;x<l;x++) {
--- 766,775 ----
                  else {
                      int l,x;
  #if defined(BSD) && BSD > 199305
! 		    /* ap_snprintf can't handle %qd */
!                     sprintf(tag,"%qd", finfo.st_size);
  #else
!                     ap_snprintf(tag, sizeof(tag), "%ld",finfo.st_size);
  #endif
                      l = strlen(tag); /* grrr */
                      for(x=0;x<l;x++) {
***************
*** 964,971 ****
              switch(current->token.type) {
                case token_string:
                  if (current->token.value[0] != '\0')
!                     strncat(current->token.value, " ", MAX_STRING_LEN-1);
!                 strncat(current->token.value, new->token.value, MAX_STRING_LEN-1);
                  break;
                case token_eq:
                case token_ne:
--- 972,981 ----
              switch(current->token.type) {
                case token_string:
                  if (current->token.value[0] != '\0')
!                     strncat(current->token.value, " ", 
! 			MAX_STRING_LEN-strlen(current->token.value)-1);
!                 strncat(current->token.value, new->token.value, 
! 			MAX_STRING_LEN-strlen(current->token.value)-1);
                  break;
                case token_eq:
                case token_ne:
***************
*** 1188,1193 ****
--- 1198,1204 ----
  #endif
              parse_string(r, current->token.value, buffer, MAX_STRING_LEN, 0);
              strncpy(current->token.value, buffer, MAX_STRING_LEN-1);
+ 	    current->token.value[MAX_STRING_LEN-1] = '\0';
              current->value = (current->token.value[0] != '\0');
              current->done = 1;
              current = current->parent;
***************
*** 1212,1217 ****
--- 1223,1229 ----
                              buffer, MAX_STRING_LEN, 0);
                      strncpy(current->left->token.value, buffer,
                              MAX_STRING_LEN-1);
+ 		    current->left->token.value[MAX_STRING_LEN-1] = '\0';
                      current->left->done = 1;
                      break;
                    default:
***************
*** 1226,1231 ****
--- 1238,1244 ----
                              buffer, MAX_STRING_LEN, 0);
                      strncpy(current->right->token.value, buffer,
                              MAX_STRING_LEN-1);
+ 		    current->right->token.value[MAX_STRING_LEN-1] = '\0';
                      current->right->done = 1;
                      break;
                    default:
***************
*** 1267,1275 ****
--- 1280,1290 ----
              parse_string(r, current->left->token.value,
                           buffer, MAX_STRING_LEN, 0);
              strncpy(current->left->token.value, buffer, MAX_STRING_LEN-1);
+ 	    current->left->token.value[MAX_STRING_LEN-1] = '\0';
              parse_string(r, current->right->token.value,
                           buffer, MAX_STRING_LEN, 0);
              strncpy(current->right->token.value, buffer, MAX_STRING_LEN-1);
+ 	    current->right->token.value[MAX_STRING_LEN-1] = '\0';
              if (current->right->token.value[0] == '/') {
                  int len;
                  len = strlen(current->right->token.value);
***************
*** 1537,1544 ****
      int printing;
      int conditional_status;
  
!     strcpy(error,DEFAULT_ERROR_MSG);
!     strcpy(timefmt,DEFAULT_TIME_FORMAT);
      sizefmt = SIZEFMT_KMG;
  
  /*  Turn printing on */
--- 1552,1561 ----
      int printing;
      int conditional_status;
  
!     strncpy(error,DEFAULT_ERROR_MSG, sizeof(error)-1);
!     error[sizeof(error)-1] = '\0';
!     strncpy(timefmt,DEFAULT_TIME_FORMAT, sizeof(timefmt)-1);
!     timefmt[sizeof(timefmt)-1] = '\0';
      sizefmt = SIZEFMT_KMG;
  
  /*  Turn printing on */
Index: mod_info.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_info.c,v
retrieving revision 1.9
diff -c -r1.9 mod_info.c
*** mod_info.c	1997/01/12 20:50:29	1.9
--- mod_info.c	1997/01/19 22:24:33
***************
*** 88,105 ****
  
  char *mod_info_html_cmd_string(char *string) {
  	char *s,*t;
! 	static char ret[64];  /* What is the max size of a command? */
  
  	ret[0]='\0';
  	s = string;
  	t=ret;	
! 	while(*s) {
! 		if(*s=='<') { strcat(t,"&lt;"); t+=4*sizeof(char); }
! 		else if(*s=='>') { strcat(t,"&gt;"); t+=4*sizeof(char); }
  		else *t++=*s;
  		s++;
- 		*t='\0';
  	}
  	return(ret);
  }
  
--- 88,110 ----
  
  char *mod_info_html_cmd_string(char *string) {
  	char *s,*t;
! 	static char ret[256];  /* What is the max size of a command? */
  
  	ret[0]='\0';
  	s = string;
  	t=ret;	
! 	while((*s) && (strlen(t) < 256)) {
! 		if(*s=='<') { 
! 			strncat(t,"&lt;", sizeof(ret)-strlen(ret));
! 			t+=4*sizeof(char);
! 		} else if(*s=='>') {
! 			strncat(t,"&gt;", sizeof(ret)-strlen(ret));
! 			t+=4*sizeof(char);
! 		}
  		else *t++=*s;
  		s++;
  	}
+ 	*t='\0';
  	return(ret);
  }
  
***************
*** 244,250 ****
  
  int display_info(request_rec *r) {
  	module *modp = NULL;
! 	char buf[256], *cfname;
  	command_rec *cmd=NULL;
  	handler_rec *hand=NULL;
  	server_rec *serv = r->server;
--- 249,255 ----
  
  int display_info(request_rec *r) {
  	module *modp = NULL;
! 	char buf[512], *cfname;
  	command_rec *cmd=NULL;
  	handler_rec *hand=NULL;
  	server_rec *serv = r->server;
***************
*** 286,292 ****
  		if(!r->args) {
  			rputs("<tt><a href=\"#server\">Server Settings</a>, ",r);
  			for(modp = top_module; modp; modp = modp->next) {
! 				sprintf(buf,"<a href=\"#%s\">%s</a>",modp->name,modp->name);
  				rputs(buf, r);
  				if(modp->next) rputs(", ",r);
  			}
--- 291,297 ----
  		if(!r->args) {
  			rputs("<tt><a href=\"#server\">Server Settings</a>, ",r);
  			for(modp = top_module; modp; modp = modp->next) {
! 				ap_snprintf(buf, sizeof(buf), "<a href=\"#%s\">%s</a>",modp->name,modp->name);
  				rputs(buf, r);
  				if(modp->next) rputs(", ",r);
  			}
***************
*** 294,335 ****
  
  		}
  		if(!r->args || !strcasecmp(r->args,"server")) {	
! 			sprintf(buf,"<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%s</tt></a></font><br>\n",SERVER_VERSION);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>API Version:</strong> <tt>%d</tt><br>\n",MODULE_MAGIC_NUMBER);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Run Mode:</strong> <tt>%s</tt><br>\n",standalone?"standalone":"inetd");
  			rputs(buf,r);
! 			sprintf(buf,"<strong>User/Group:</strong> <tt>%s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Hostname/port:</strong> <tt>%s:%d</tt><br>\n",serv->server_hostname,serv->port);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Daemons:</strong> <tt>start: %d &nbsp;&nbsp; min idle: %d &nbsp;&nbsp; max idle: %d &nbsp;&nbsp; max: %d</tt><br>\n",daemons_to_start,daemons_min_free,daemons_max_free,daemons_limit);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Max Requests:</strong> <tt>per child: %d &nbsp;&nbsp; per connection: %d</tt><br>\n",max_requests_per_child,serv->keep_alive);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Timeouts:</strong> <tt>connection: %d &nbsp;&nbsp; keep-alive: %d</tt><br>",serv->timeout,serv->keep_alive_timeout);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Server Root:</strong> <tt>%s</tt><br>\n",server_root);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Config File:</strong> <tt>%s</tt><br>\n",server_confname);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>PID File:</strong> <tt>%s</tt><br>\n",pid_fname);
  			rputs(buf,r);
! 			sprintf(buf,"<strong>Scoreboard File:</strong> <tt>%s</tt><br>\n",scoreboard_fname);
  			rputs(buf,r);
  		}
  		rputs("<hr><dl>",r);
  		for(modp = top_module; modp; modp = modp->next) {
  			if(!r->args || !strcasecmp(modp->name,r->args)) {	
! 				sprintf(buf,"<dt><a name=\"%s\"><strong>Module Name:</strong> <font size=+1><tt>%s</tt></a></font>\n",modp->name,modp->name);
  				rputs(buf,r);
  				rputs("<dt><strong>Content-types affected:</strong>",r);	
  				hand = modp->handlers;
  				if(hand) {
  					while(hand) {
  						if(hand->content_type) {
! 							sprintf(buf," <tt>%s</tt>\n",hand->content_type);	
  							rputs(buf,r);
  						} else break;
  						hand++;
--- 299,340 ----
  
  		}
  		if(!r->args || !strcasecmp(r->args,"server")) {	
! 			ap_snprintf(buf, sizeof(buf), "<a name=\"server\"><strong>Server Version:</strong> <font size=+1><tt>%s</tt></a></font><br>\n",SERVER_VERSION);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>API Version:</strong> <tt>%d</tt><br>\n",MODULE_MAGIC_NUMBER);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Run Mode:</strong> <tt>%s</tt><br>\n",standalone?"standalone":"inetd");
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>User/Group:</strong> <tt>%s(%d)/%d</tt><br>\n",user_name,(int)user_id,(int)group_id);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Hostname/port:</strong> <tt>%s:%d</tt><br>\n",serv->server_hostname,serv->port);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Daemons:</strong> <tt>start: %d &nbsp;&nbsp; min idle: %d &nbsp;&nbsp; max idle: %d &nbsp;&nbsp; max: %d</tt><br>\n",daemons_to_start,daemons_min_free,daemons_max_free,daemons_limit);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Max Requests:</strong> <tt>per child: %d &nbsp;&nbsp; per connection: %d</tt><br>\n",max_requests_per_child,serv->keep_alive);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Timeouts:</strong> <tt>connection: %d &nbsp;&nbsp; keep-alive: %d</tt><br>",serv->timeout,serv->keep_alive_timeout);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Server Root:</strong> <tt>%s</tt><br>\n",server_root);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Config File:</strong> <tt>%s</tt><br>\n",server_confname);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>PID File:</strong> <tt>%s</tt><br>\n",pid_fname);
  			rputs(buf,r);
! 			ap_snprintf(buf, sizeof(buf), "<strong>Scoreboard File:</strong> <tt>%s</tt><br>\n",scoreboard_fname);
  			rputs(buf,r);
  		}
  		rputs("<hr><dl>",r);
  		for(modp = top_module; modp; modp = modp->next) {
  			if(!r->args || !strcasecmp(modp->name,r->args)) {	
! 				ap_snprintf(buf, sizeof(buf), "<dt><a name=\"%s\"><strong>Module Name:</strong> <font size=+1><tt>%s</tt></a></font>\n",modp->name,modp->name);
  				rputs(buf,r);
  				rputs("<dt><strong>Content-types affected:</strong>",r);	
  				hand = modp->handlers;
  				if(hand) {
  					while(hand) {
  						if(hand->content_type) {
! 							ap_snprintf(buf, sizeof(buf), " <tt>%s</tt>\n",hand->content_type);	
  							rputs(buf,r);
  						} else break;
  						hand++;
***************
*** 380,386 ****
  				if(cmd) {
  					while(cmd) {
  						if(cmd->name) {
! 							sprintf(buf,"<dd><tt>%s - <i>",mod_info_html_cmd_string(cmd->name));	
  							rputs(buf,r);
  							if(cmd->errmsg) rputs(cmd->errmsg,r);
  							rputs("</i></tt>\n",r);
--- 385,391 ----
  				if(cmd) {
  					while(cmd) {
  						if(cmd->name) {
! 							ap_snprintf(buf, sizeof(buf), "<dd><tt>%s - <i>",mod_info_html_cmd_string(cmd->name));	
  							rputs(buf,r);
  							if(cmd->errmsg) rputs(cmd->errmsg,r);
  							rputs("</i></tt>\n",r);
Index: mod_log_agent.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_log_agent.c,v
retrieving revision 1.8
diff -c -r1.8 mod_log_agent.c
*** mod_log_agent.c	1997/01/10 09:34:42	1.8
--- mod_log_agent.c	1997/01/15 06:46:57
***************
*** 170,176 ****
      agent = table_get(orig->headers_in, "User-Agent");
      if(agent != NULL) 
        {
! 	sprintf(str, "%s\n", agent);
  	write(cls->agent_fd, str, strlen(str));
        }
      
--- 170,176 ----
      agent = table_get(orig->headers_in, "User-Agent");
      if(agent != NULL) 
        {
! 	ap_snprintf(str, sizeof(str), "%s\n", agent);
  	write(cls->agent_fd, str, strlen(str));
        }
      
Index: mod_log_config.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_log_config.c,v
retrieving revision 1.21
diff -c -r1.21 mod_log_config.c
*** mod_log_config.c	1997/01/16 08:06:12	1.21
--- mod_log_config.c	1997/01/18 07:50:18
***************
*** 224,230 ****
  char *format_integer(pool *p, int i)
  {
      char dummy[40];
!     sprintf (dummy, "%d", i);
      return pstrdup (p, dummy);
  }
  
--- 224,230 ----
  char *format_integer(pool *p, int i)
  {
      char dummy[40];
!     ap_snprintf (dummy, sizeof(dummy), "%d", i);
      return pstrdup (p, dummy);
  }
  
***************
*** 271,277 ****
  	long int bs;
  	char dummy[40];
  	bgetopt(r->connection->client, BO_BYTECT, &bs);
! 	sprintf(dummy, "%ld", bs);
  	return pstrdup(r->pool, dummy);
      }
  }
--- 271,277 ----
  	long int bs;
  	char dummy[40];
  	bgetopt(r->connection->client, BO_BYTECT, &bs);
! 	ap_snprintf(dummy, sizeof(dummy), "%ld", bs);
  	return pstrdup(r->pool, dummy);
      }
  }
***************
*** 309,316 ****
  	if(timz < 0) timz = -timz;
  
  	strftime(tstr,MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t);
! 	sprintf (tstr + strlen(tstr), "%c%.2d%.2d]",
! 		 sign, timz/60, timz%60);
      }
  
      return pstrdup (r->pool, tstr);
--- 309,316 ----
  	if(timz < 0) timz = -timz;
  
  	strftime(tstr,MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t);
! 	ap_snprintf (tstr + strlen(tstr), sizeof(tstr)-strlen(tstr), 
! 		"%c%.2d%.2d]", sign, timz/60, timz%60);
      }
  
      return pstrdup (r->pool, tstr);
***************
*** 319,325 ****
  char *log_request_duration (request_rec *r, char *a) {
      char duration[22];	/* Long enough for 2^64 */
  
!     sprintf(duration, "%ld", time(NULL) - r->request_time);
      return pstrdup(r->pool, duration);
  }
  
--- 319,325 ----
  char *log_request_duration (request_rec *r, char *a) {
      char duration[22];	/* Long enough for 2^64 */
  
!     ap_snprintf(duration, sizeof(duration), "%ld", time(NULL) - r->request_time);
      return pstrdup(r->pool, duration);
  }
  
***************
*** 328,342 ****
  }
  
  char *log_server_port (request_rec *r, char *a) {
!     char portnum[10];
  
!     sprintf(portnum, "%d", r->server->port);
      return pstrdup(r->pool, portnum);
  }
  
  char *log_child_pid (request_rec *r, char *a) {
!     char pidnum[10];
!     sprintf(pidnum, "%ld", (long)getpid());
      return pstrdup(r->pool, pidnum);
  }
  /*****************************************************************
--- 328,342 ----
  }
  
  char *log_server_port (request_rec *r, char *a) {
!     char portnum[22];
  
!     ap_snprintf(portnum, sizeof(portnum), "%d", r->server->port);
      return pstrdup(r->pool, portnum);
  }
  
  char *log_child_pid (request_rec *r, char *a) {
!     char pidnum[22];
!     ap_snprintf(pidnum, sizeof(pidnum), "%ld", (long)getpid());
      return pstrdup(r->pool, pidnum);
  }
  /*****************************************************************
Index: mod_negotiation.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_negotiation.c,v
retrieving revision 1.29
diff -c -r1.29 mod_negotiation.c
*** mod_negotiation.c	1997/01/01 18:10:38	1.29
--- mod_negotiation.c	1997/01/15 06:49:55
***************
*** 1653,1661 ****
          char *rec;
          char qstr[6];
          long len;
!         char lenstr[20];                /* is this long enough? */
  
!         sprintf(qstr, "%1.3f", variant->type_quality);
  
          /* Strip trailing zeros (saves those valuable network bytes) */
          if (qstr[4] == '0') {
--- 1653,1661 ----
          char *rec;
          char qstr[6];
          long len;
!         char lenstr[22];                /* enough for 2^64 */
  
!         ap_snprintf(qstr, sizeof(qstr), "%1.3f", variant->type_quality);
  
          /* Strip trailing zeros (saves those valuable network bytes) */
          if (qstr[4] == '0') {
***************
*** 1699,1705 ****
                  vary_by_charset = 1;
          }
          if ((len = find_content_length(neg, variant)) != 0) {
!             sprintf(lenstr, "%ld", len);
              rec = pstrcat(r->pool, rec, " {length ", lenstr, "}", NULL);
          }
          
--- 1699,1705 ----
                  vary_by_charset = 1;
          }
          if ((len = find_content_length(neg, variant)) != 0) {
!             ap_snprintf(lenstr, sizeof(lenstr), "%ld", len);
              rec = pstrcat(r->pool, rec, " {length ", lenstr, "}", NULL);
          }
          
Index: mod_rewrite.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_rewrite.c,v
retrieving revision 1.14
diff -c -r1.14 mod_rewrite.c
*** mod_rewrite.c	1997/01/16 08:06:13	1.14
--- mod_rewrite.c	1997/01/18 08:54:16
***************
*** 891,897 ****
  #endif 
          thisport = "";
      else {
!         sprintf(buf, ":%d", r->server->port);
          thisport = pstrdup(r->pool, buf);
      }
      thisurl = table_get(r->subprocess_env, ENVVAR_SCRIPT_URL);
--- 891,897 ----
  #endif 
          thisport = "";
      else {
!         ap_snprintf(buf, sizeof(buf), ":%d", r->server->port);
          thisport = pstrdup(r->pool, buf);
      }
      thisurl = table_get(r->subprocess_env, ENVVAR_SCRIPT_URL);
***************
*** 1026,1032 ****
              n = prefix_stat(r->filename, &finfo);
              if (n == 0) {
                  if ((cp = document_root(r)) != NULL) {
!                     strcpy(docroot, cp);
  
                      /* allways NOT have a trailing slash */
                      l = strlen(docroot);
--- 1026,1033 ----
              n = prefix_stat(r->filename, &finfo);
              if (n == 0) {
                  if ((cp = document_root(r)) != NULL) {
!                     strncpy(docroot, cp, sizeof(docroot)-1);
! 		    docroot[sizeof(docroot)-1] = '\0';
  
                      /* allways NOT have a trailing slash */
                      l = strlen(docroot);
***************
*** 1471,1489 ****
          if (p->flags & RULEFLAG_PROXY) {
              if (p->flags & RULEFLAG_NOTMATCH) {
                  output = pstrcat(r->pool, "proxy:", output, NULL);
!                 strcpy(newuri, output);
!                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
!                 expand_map_lookups(r, newuri);                       /* expand ${...} */
              }
              else {
                  output = pstrcat(r->pool, "proxy:", output, NULL);
  #ifdef HAS_APACHE_REGEX_LIB
!                 strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
  #else
                  regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
!                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
!                 expand_map_lookups(r, newuri);                       /* expand ${...} */
              }
              if (perdir == NULL)
                  rewritelog(r, 2, "rewrite %s -> %s", r->filename, newuri);
--- 1472,1492 ----
          if (p->flags & RULEFLAG_PROXY) {
              if (p->flags & RULEFLAG_NOTMATCH) {
                  output = pstrcat(r->pool, "proxy:", output, NULL);
!                 strncpy(newuri, output, sizeof(newuri)-1);
! 		newuri[sizeof(newuri)-1] = '\0';
!                 expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */
!                 expand_map_lookups(r, newuri, sizeof(newuri));       /* expand ${...} */
              }
              else {
                  output = pstrcat(r->pool, "proxy:", output, NULL);
  #ifdef HAS_APACHE_REGEX_LIB
!                 strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
! 		newuri[sizeof(newuri)-1] = '\0';
  #else
                  regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
!                 expand_variables_inbuffer(r, newuri, sizeof(newuri));   /* expand %{...} */
!                 expand_map_lookups(r, newuri, sizeof(newuri));          /* expand ${...} */
              }
              if (perdir == NULL)
                  rewritelog(r, 2, "rewrite %s -> %s", r->filename, newuri);
***************
*** 1503,1520 ****
          if (perdir != NULL && strncmp(output, "http://", 7) == 0) {
  #endif
              if (p->flags & RULEFLAG_NOTMATCH) {
!                 strcpy(newuri, output);
!                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
!                 expand_map_lookups(r, newuri);                       /* expand ${...} */
              }
              else {
  #ifdef HAS_APACHE_REGEX_LIB
!                 strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
  #else
                  regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
!                 expand_variables_inbuffer(r, newuri);                /* expand %{...} */
!                 expand_map_lookups(r, newuri);                       /* expand ${...} */
              }
              rewritelog(r, 2, "[per-dir %s] redirect %s -> %s", perdir, r->filename, newuri);
              r->filename = pstrdup(r->pool, newuri);
--- 1506,1525 ----
          if (perdir != NULL && strncmp(output, "http://", 7) == 0) {
  #endif
              if (p->flags & RULEFLAG_NOTMATCH) {
!                 strncpy(newuri, output, sizeof(newuri)-1);
! 		newuri[sizeof(newuri)-1] = '\0';
!                 expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */
!                 expand_map_lookups(r, newuri, sizeof(newuri));       /* expand ${...} */
              }
              else {
  #ifdef HAS_APACHE_REGEX_LIB
!                 strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
! 		newuri[sizeof(newuri)-1] = '\0';
  #else
                  regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
!                 expand_variables_inbuffer(r, newuri, sizeof(newuri));/* expand %{...} */
!                 expand_map_lookups(r, newuri, sizeof(newuri));       /* expand ${...} */
              }
              rewritelog(r, 2, "[per-dir %s] redirect %s -> %s", perdir, r->filename, newuri);
              r->filename = pstrdup(r->pool, newuri);
***************
*** 1532,1549 ****
  
          if (p->flags & RULEFLAG_NOTMATCH) {
              /* just overtake the URI */
!             strcpy(newuri, output);
          }
          else {
              /* substitute in output */
  #ifdef HAS_APACHE_REGEX_LIB
!             strcpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch));    /* substitute in output */
  #else
              regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
          }
!         expand_variables_inbuffer(r, newuri);  /* expand %{...} */
!         expand_map_lookups(r, newuri);         /* expand ${...} */
  
          if (perdir == NULL)
              rewritelog(r, 2, "rewrite %s -> %s", uri, newuri);
--- 1537,1556 ----
  
          if (p->flags & RULEFLAG_NOTMATCH) {
              /* just overtake the URI */
!             strncpy(newuri, output, sizeof(newuri)-1);
! 	    newuri[sizeof(newuri)-1] = '\0';
          }
          else {
              /* substitute in output */
  #ifdef HAS_APACHE_REGEX_LIB
!             strncpy(newuri, pregsub(r->pool, output, uri, regexp->re_nsub+1, regmatch), sizeof(newuri)-1);    /* substitute in output */
! 	    newuri[sizeof(newuri-1)] = '\0'; 
  #else
              regsub(regexp, output, newuri);                      /* substitute in output */
  #endif
          }
!         expand_variables_inbuffer(r, newuri, sizeof(newuri));  /* expand %{...} */
!         expand_map_lookups(r, newuri, sizeof(newuri));   /* expand ${...} */
  
          if (perdir == NULL)
              rewritelog(r, 2, "rewrite %s -> %s", uri, newuri);
***************
*** 1586,1603 ****
  #endif
                      strcpy(port, "");
                  else 
!                     sprintf(port, ":%d", r->server->port);
                  if (r->filename[0] == '/')
  #ifdef APACHE_SSL
!                     sprintf(newuri, "%s://%s%s%s", http_method(r), r->server->server_hostname, port, r->filename);
  #else
!                     sprintf(newuri, "http://%s%s%s", r->server->server_hostname, port, r->filename);
  #endif
                  else
  #ifdef APACHE_SSL
!                     sprintf(newuri, "%s://%s%s/%s", http_method(r), r->server->server_hostname, port, r->filename);
  #else
!                     sprintf(newuri, "http://%s%s/%s", r->server->server_hostname, port, r->filename);
  #endif
                  if (perdir == NULL) 
                      rewritelog(r, 2, "prepare forced redirect %s -> %s", r->filename, newuri);
--- 1593,1610 ----
  #endif
                      strcpy(port, "");
                  else 
!                     ap_snprintf(port, sizeof(port), ":%d", r->server->port);
                  if (r->filename[0] == '/')
  #ifdef APACHE_SSL
!                     ap_snprintf(newuri, sizeof(newuri), "%s://%s%s%s", http_method(r), r->server->server_hostname, port, r->filename);
  #else
!                     ap_snprintf(newuri, sizeof(newuri), "http://%s%s%s", r->server->server_hostname, port, r->filename);
  #endif
                  else
  #ifdef APACHE_SSL
!                     ap_snprintf(newuri, sizeof(newuri), "%s://%s%s/%s", http_method(r), r->server->server_hostname, port, r->filename);
  #else
!                     ap_snprintf(newuri, sizeof(newuri), "http://%s%s/%s", r->server->server_hostname, port, r->filename);
  #endif
                  if (perdir == NULL) 
                      rewritelog(r, 2, "prepare forced redirect %s -> %s", r->filename, newuri);
***************
*** 1653,1664 ****
          rc = (regexec(p->regexp, input, 0, NULL, 0) == 0);
  #else
          if (p->flags & CONDFLAG_NOCASE) {
!             for (i = 0; input[i] != '\0'; i++)
                  inputbuf[i] = tolower(input[i]);
              inputbuf[i] = '\0';
          }
          else {
!             strcpy(inputbuf, input);
          }
          rc = (regexec(p->regexp, inputbuf) != 0);
  #endif
--- 1660,1672 ----
          rc = (regexec(p->regexp, input, 0, NULL, 0) == 0);
  #else
          if (p->flags & CONDFLAG_NOCASE) {
!             for (i = 0; input[i] != '\0' && i < sizeof(inputbuf)-1 ; i++)
                  inputbuf[i] = tolower(input[i]);
              inputbuf[i] = '\0';
          }
          else {
!             strncpy(inputbuf, input, sizeof(inputbuf)-1);
! 	    inputbuf[sizeof(inputbuf)-1] = '\0';
          }
          rc = (regexec(p->regexp, inputbuf) != 0);
  #endif
***************
*** 1743,1759 ****
  
          /* cut the hostname and port out of the URI */
  #ifdef APACHE_SSL
!         strcpy(buf, r->filename+strlen(http_method(r))+3);
  #else
!         strcpy(buf, r->filename+7);
  #endif
          hostp = buf;
          for (cp = hostp; *cp != '\0' && *cp != '/' && *cp != ':'; cp++)
              ;
          if (*cp == ':') {
              /* set host */
              *cp++ = '\0';
!             strcpy(host, hostp);
              /* set port */
              portp = cp;
              for (; *cp != '\0' && *cp != '/'; cp++)
--- 1751,1769 ----
  
          /* cut the hostname and port out of the URI */
  #ifdef APACHE_SSL
!         strncpy(buf, r->filename+strlen(http_method(r))+3, sizeof(buf)-1);
  #else
!         strncpy(buf, r->filename+7, sizeof(buf)-1);
  #endif
+ 	buf[sizeof(buf)-1] = '\0';
          hostp = buf;
          for (cp = hostp; *cp != '\0' && *cp != '/' && *cp != ':'; cp++)
              ;
          if (*cp == ':') {
              /* set host */
              *cp++ = '\0';
!             strncpy(host, hostp, sizeof(host)-1);
! 	    host[sizeof(host)-1] = '\0';
              /* set port */
              portp = cp;
              for (; *cp != '\0' && *cp != '/'; cp++)
***************
*** 1768,1774 ****
          else if (*cp == '/') {
              /* set host */
              *cp = '\0';
!             strcpy(host, hostp);
              *cp = '/';
              /* set port */
              port = 80;
--- 1778,1785 ----
          else if (*cp == '/') {
              /* set host */
              *cp = '\0';
!             strncpy(host, hostp, sizeof(host)-1);
! 	    host[sizeof(host)-1] = '\0';
              *cp = '/';
              /* set port */
              port = 80;
***************
*** 1777,1783 ****
          }
          else {
              /* set host */
!             strcpy(host, hostp);
              /* set port */
              port = 80;
              /* set remaining url */
--- 1788,1795 ----
          }
          else {
              /* set host */
!             strncpy(host, hostp, sizeof(host)-1);
! 	    host[sizeof(host)-1] = '\0';
              /* set port */
              port = 80;
              /* set remaining url */
***************
*** 1812,1818 ****
      newuri = uri;
      if (uri != NULL && strlen(uri) > 2 && uri[0] == '/' && uri[1] == '~') {
          /* cut out the username */
!         for (j = 0, i = 2; uri[i] != '\0' && 
                         (   (uri[i] >= '0' && uri[i] <= '9')
                          || (uri[i] >= 'a' && uri[i] <= 'z')
                          || (uri[i] >= 'A' && uri[i] <= 'Z')); )
--- 1824,1830 ----
      newuri = uri;
      if (uri != NULL && strlen(uri) > 2 && uri[0] == '/' && uri[1] == '~') {
          /* cut out the username */
!         for (j = 0, i = 2; j < sizeof(user)-1 && uri[i] != '\0' && 
                         (   (uri[i] >= '0' && uri[i] <= '9')
                          || (uri[i] >= 'a' && uri[i] <= 'z')
                          || (uri[i] >= 'A' && uri[i] <= 'Z')); )
***************
*** 1846,1852 ****
  **
  */
  
! static void expand_map_lookups(request_rec *r, char *uri)
  {
      char newuri[MAX_STRING_LEN];
      char *cpI;
--- 1858,1865 ----
  **
  */
  
! #define limit_length(n)	(n > LONG_STRING_LEN-1 ? LONG_STRING_LEN-1 : n)
! static void expand_map_lookups(request_rec *r, char *uri, int uri_len)
  {
      char newuri[MAX_STRING_LEN];
      char *cpI;
***************
*** 1876,1902 ****
  
              cpT = strchr(cpI, ':');
              n = cpT-cpI;
!             memcpy(mapname, cpI, n);
!             mapname[n] = '\0';
              cpI += n+1;
  
              cpT2 = strchr(cpI, '|');
              cpT = strchr(cpI, '}');
              if (cpT2 != NULL && cpT2 < cpT) {
                  n = cpT2-cpI;
!                 memcpy(mapkey, cpI, n);
!                 mapkey[n] = '\0';
                  cpI += n+1;
  
                  n = cpT-cpI;
!                 memcpy(defaultvalue, cpI, n);
!                 defaultvalue[n] = '\0';
                  cpI += n+1;
              }
              else {
                  n = cpT-cpI;
!                 memcpy(mapkey, cpI, n);
!                 mapkey[n] = '\0';
                  cpI += n+1;
  
                  defaultvalue[0] = '\0';
--- 1889,1915 ----
  
              cpT = strchr(cpI, ':');
              n = cpT-cpI;
!             memcpy(mapname, cpI, limit_length(n));
!             mapname[limit_length(n)] = '\0';
              cpI += n+1;
  
              cpT2 = strchr(cpI, '|');
              cpT = strchr(cpI, '}');
              if (cpT2 != NULL && cpT2 < cpT) {
                  n = cpT2-cpI;
!                 memcpy(mapkey, cpI, limit_length(n));
!                 mapkey[limit_length(n)] = '\0';
                  cpI += n+1;
  
                  n = cpT-cpI;
!                 memcpy(defaultvalue, cpI, limit_length(n));
!                 defaultvalue[limit_length(n)] = '\0';
                  cpI += n+1;
              }
              else {
                  n = cpT-cpI;
!                 memcpy(mapkey, cpI, limit_length(n));
!                 mapkey[limit_length(n)] = '\0';
                  cpI += n+1;
  
                  defaultvalue[0] = '\0';
***************
*** 1905,1915 ****
--- 1918,1936 ----
              cpT = lookup_map(r, mapname, mapkey);
              if (cpT != NULL) {
                  n = strlen(cpT);
+ 		if (cpO + n >= newuri + sizeof(newuri)) {
+ 		    log_printf(r->server, "insufficient space in expand_map_lookups, aborting");
+ 		    return;
+ 		}
                  memcpy(cpO, cpT, n);
                  cpO += n;
              }
              else {
                  n = strlen(defaultvalue);
+ 		if (cpO + n >= newuri + sizeof(newuri)) {
+ 		    log_printf(r->server, "insufficient space in expand_map_lookups, aborting");
+ 		    return;
+ 		}
                  memcpy(cpO, defaultvalue, n);
                  cpO += n;
              }
***************
*** 1919,1933 ****
              if (cpT == NULL)
                  cpT = cpI+strlen(cpI);
              n = cpT-cpI;
              memcpy(cpO, cpI, n);
              cpO += n;
              cpI += n;
          }
      }
      *cpO = '\0';
!     strcpy(uri, newuri);
      return;
  }
  
  
  
--- 1940,1960 ----
              if (cpT == NULL)
                  cpT = cpI+strlen(cpI);
              n = cpT-cpI;
+ 	    if (cpO + n >= newuri + sizeof(newuri)) {
+ 		log_printf(r->server, "insufficient space in expand_map_lookups, aborting");
+ 		return;
+ 	    }
              memcpy(cpO, cpI, n);
              cpO += n;
              cpI += n;
          }
      }
      *cpO = '\0';
!     strncpy(uri, newuri, uri_len-1);
!     uri[uri_len-1] = '\0';
      return;
  }
+ #undef limit_length
  
  
  
***************
*** 2034,2040 ****
      if ((fp = pfopen(r->pool, file, "r")) == NULL)
          return NULL;
  
!     strcpy(output,  MAPFILE_OUTPUT);
      while (fgets(line, sizeof(line), fp) != NULL) {
          if (line[strlen(line)-1] == '\n')
              line[strlen(line)-1] = '\0';
--- 2061,2068 ----
      if ((fp = pfopen(r->pool, file, "r")) == NULL)
          return NULL;
  
!     strncpy(output,  MAPFILE_OUTPUT, sizeof(output)-1);
!     output[sizeof(output)-1] = '\0';
      while (fgets(line, sizeof(line), fp) != NULL) {
          if (line[strlen(line)-1] == '\n')
              line[strlen(line)-1] = '\0';
***************
*** 2044,2050 ****
          if (regexec(lookup_map_txtfile_regexp, line) != 0) {
  #endif
  #ifdef HAS_APACHE_REGEX_LIB
!             strcpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch)); /* substitute in output */
  #else
              regsub(lookup_map_txtfile_regexp, output, result);
  #endif
--- 2072,2079 ----
          if (regexec(lookup_map_txtfile_regexp, line) != 0) {
  #endif
  #ifdef HAS_APACHE_REGEX_LIB
!             strncpy(result, pregsub(r->pool, output, line, lookup_map_txtfile_regexp->re_nsub+1, lookup_map_txtfile_regmatch), sizeof(result)-1); /* substitute in output */
! 	    result[sizeof(result)-1] = '\0';
  #else
              regsub(lookup_map_txtfile_regexp, output, result);
  #endif
***************
*** 2073,2079 ****
      char buf[MAX_STRING_LEN];
  
      dbmkey.dptr  = key;
!     dbmkey.dsize = strlen(key);
      if ((dbmfp = dbm_open(file, O_RDONLY, 0666)) != NULL) {
          dbmval = dbm_fetch(dbmfp, dbmkey);
          if (dbmval.dptr != NULL) {
--- 2102,2108 ----
      char buf[MAX_STRING_LEN];
  
      dbmkey.dptr  = key;
!     dbmkey.dsize = strlen(key) < sizeof(buf) - 1 : strlen(key) ? sizeof(buf)-1;
      if ((dbmfp = dbm_open(file, O_RDONLY, 0666)) != NULL) {
          dbmval = dbm_fetch(dbmfp, dbmkey);
          if (dbmval.dptr != NULL) {
***************
*** 2099,2105 ****
  
      /* read in the response value */
      i = 0;
!     while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN)) {
          if (c == '\n')
              break;
          buf[i++] = c;
--- 2128,2134 ----
  
      /* read in the response value */
      i = 0;
!     while (read(fpout, &c, 1) == 1 && (i < LONG_STRING_LEN-1)) {
          if (c == '\n')
              break;
          buf[i++] = c;
***************
*** 2216,2236 ****
                              (connect->remote_logname != NULL ? connect->remote_logname : "-"), " ",
                              ruser,
                              NULL);
!     vsprintf(str2, text, ap);
  
!     if (r->main == NULL)
!         strcpy(type, "initial");
!     else
!         strcpy(type, "subreq");
  
      for (i = 0, req = r->prev; req != NULL; req = req->prev) 
          ;
      if (i == 0)
          strcpy(redir, "");
      else
!         sprintf(redir, "/redir#%d", i);
  
!     sprintf(str3, "%s %s [%s/sid#%x][rid#%x/%s%s] (%d) %s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2);
  
      write(conf->rewritelogfp, str3, strlen(str3));
  
--- 2245,2268 ----
                              (connect->remote_logname != NULL ? connect->remote_logname : "-"), " ",
                              ruser,
                              NULL);
!     ap_vsnprintf(str2, sizeof(str2), text, ap);
  
!     if (r->main == NULL) {
!         strncpy(type, "initial", sizeof(type)-1);
! 	type[sizeof(type)-1] = '\0';
!     } else {
!         strncpy(type, "subreq", sizeof(type)-1);
! 	type[sizeof(type)-1] = '\0';
!     }
  
      for (i = 0, req = r->prev; req != NULL; req = req->prev) 
          ;
      if (i == 0)
          strcpy(redir, "");
      else
!         ap_snprintf(redir, sizeof(redir), "/redir#%d", i);
  
!     ap_snprintf(str3, sizeof(str3), "%s %s [%s/sid#%x][rid#%x/%s%s] (%d) %s\n", str1, current_logtime(r), r->server->server_hostname, (unsigned int)(r->server), (unsigned int)r, type, redir, level, str2);
  
      write(conf->rewritelogfp, str3, strlen(str3));
  
***************
*** 2254,2265 ****
      if(timz < 0) 
          timz = -timz;
  
!     strftime(tstr, MAX_STRING_LEN,"[%d/%b/%Y:%H:%M:%S ",t);
  
  #ifdef IS_APACHE_12
!     sprintf(tstr + strlen(tstr), "%c%.2d%.2d]", sign, timz/60, timz%60);
  #else
!     sprintf(tstr + strlen(tstr), "%c%02ld%02ld]", sign, timz/3600, timz%3600);
  #endif
  
      return pstrdup(r->pool, tstr);
--- 2286,2297 ----
      if(timz < 0) 
          timz = -timz;
  
!     strftime(tstr, 80,"[%d/%b/%Y:%H:%M:%S ",t);
  
  #ifdef IS_APACHE_12
!     ap_snprintf(tstr + strlen(tstr), 80-strlen(tstr), "%c%.2d%.2d]", sign, timz/60, timz%60);
  #else
!     ap_snprintf(tstr + strlen(tstr), 80-strlen(tstr), "%c%02ld%02ld]", sign, timz/3600, timz%3600);
  #endif
  
      return pstrdup(r->pool, tstr);
***************
*** 2341,2352 ****
  */
  
  
! static void expand_variables_inbuffer(request_rec *r, char *buf)
  {
      char *newbuf;
      newbuf = expand_variables(r, buf);
!     if (strcmp(newbuf, buf) != 0)
!         strcpy(buf, newbuf);
      return;
  }
  
--- 2373,2386 ----
  */
  
  
! static void expand_variables_inbuffer(request_rec *r, char *buf, int buf_len)
  {
      char *newbuf;
      newbuf = expand_variables(r, buf);
!     if (strcmp(newbuf, buf) != 0) {
!         strncpy(buf, newbuf, buf_len-1);
! 	buf[buf_len-1] = '\0';
!     }
      return;
  }
  
***************
*** 2359,2383 ****
      char *cp3;
      int expanded;
  
!     strcpy(input, str);
      output[0] = '\0';
      expanded = 0;
      for (cp = input; cp < input+MAX_STRING_LEN; ) {
          if ((cp2 = strstr(cp, "%{")) != NULL) {
              if ((cp3 = strstr(cp2, "}")) != NULL) {
                  *cp2 = '\0';
!                 strcpy(&output[strlen(output)], cp);
! 
                  cp2 += 2;
                  *cp3 = '\0';
!                 strcpy(&output[strlen(output)], lookup_variable(r, cp2));
  
                  cp = cp3+1;
                  expanded = 1;
                  continue;
              }
          }
!         strcpy(&output[strlen(output)], cp);
          break;
      }
      return expanded ? pstrdup(r->pool, output) : str;
--- 2393,2418 ----
      char *cp3;
      int expanded;
  
!     strncpy(input, str, sizeof(input)-1);
!     input[sizeof(input)-1] = '\0';
      output[0] = '\0';
      expanded = 0;
      for (cp = input; cp < input+MAX_STRING_LEN; ) {
          if ((cp2 = strstr(cp, "%{")) != NULL) {
              if ((cp3 = strstr(cp2, "}")) != NULL) {
                  *cp2 = '\0';
!                 strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1);
                  cp2 += 2;
                  *cp3 = '\0';
!                 strncpy(&output[strlen(output)], lookup_variable(r, cp2), sizeof(output)-strlen(output)-1);
  
                  cp = cp3+1;
                  expanded = 1;
                  continue;
              }
          }
!         strncpy(&output[strlen(output)], cp, sizeof(output)-strlen(output)-1);
! 	output[sizeof(output)-1] = '\0';
          break;
      }
      return expanded ? pstrdup(r->pool, output) : str;
***************
*** 2468,2474 ****
          result = r->server->server_hostname;
      }
      else if (strcasecmp(var, "SERVER_PORT") == 0) {
!         sprintf(resultbuf, "%d", r->server->port);
          result = resultbuf;
      }
      else if (strcasecmp(var, "SERVER_PROTOCOL") == 0) {
--- 2503,2509 ----
          result = r->server->server_hostname;
      }
      else if (strcasecmp(var, "SERVER_PORT") == 0) {
!         ap_snprintf(resultbuf, sizeof(resultbuf), "%d", r->server->port);
          result = resultbuf;
      }
      else if (strcasecmp(var, "SERVER_PROTOCOL") == 0) {
***************
*** 2478,2484 ****
          result = pstrdup(r->pool, SERVER_VERSION);
      }
      else if (strcasecmp(var, "API_VERSION") == 0) { /* non-standard */
!         sprintf(resultbuf, "%d", MODULE_MAGIC_NUMBER);
          result = resultbuf;
      }
  
--- 2513,2519 ----
          result = pstrdup(r->pool, SERVER_VERSION);
      }
      else if (strcasecmp(var, "API_VERSION") == 0) { /* non-standard */
!         ap_snprintf(resultbuf, sizeof(resultbuf), "%d", MODULE_MAGIC_NUMBER);
          result = resultbuf;
      }
  
***************
*** 2486,2498 ****
      else if (strcasecmp(var, "TIME_YEAR") == 0) {
          tc = time(NULL); 
          tm = localtime(&tc); 
!         sprintf(resultbuf, "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100);
          result = resultbuf;
      }
  #define MKTIMESTR(format, tmfield) \
      tc = time(NULL); \
      tm = localtime(&tc); \
!     sprintf(resultbuf, format, tm->tmfield); \
      result = resultbuf;
      else if (strcasecmp(var, "TIME_MON") == 0) {
          MKTIMESTR("%02d", tm_mon+1)
--- 2521,2533 ----
      else if (strcasecmp(var, "TIME_YEAR") == 0) {
          tc = time(NULL); 
          tm = localtime(&tc); 
!         ap_snprintf(resultbuf, sizeof(resultbuf), "%02d%02d", (tm->tm_year / 100) + 19, tm->tm_year % 100);
          result = resultbuf;
      }
  #define MKTIMESTR(format, tmfield) \
      tc = time(NULL); \
      tm = localtime(&tc); \
!     ap_snprintf(resultbuf, sizeof(resultbuf), format, tm->tmfield); \
      result = resultbuf;
      else if (strcasecmp(var, "TIME_MON") == 0) {
          MKTIMESTR("%02d", tm_mon+1)
***************
*** 2684,2690 ****
      output = input;
  
      /* first, remove the local directory prefix */
!     strcpy(matchbuf, match);
      /* allways have a trailing slash */
      l = strlen(matchbuf);
      if (matchbuf[l-1] != '/') {
--- 2719,2727 ----
      output = input;
  
      /* first, remove the local directory prefix */
!     strncpy(matchbuf, match, sizeof(matchbuf)-1);
!     matchbuf[sizeof(matchbuf)-1] = '\0';
! 
      /* allways have a trailing slash */
      l = strlen(matchbuf);
      if (matchbuf[l-1] != '/') {
***************
*** 2697,2703 ****
          output = pstrdup(r->pool, output+l); 
  
          /* and now add the base-URL as replacement prefix */
!         strcpy(substbuf, subst);
          /* allways have a trailing slash */
          l = strlen(substbuf);
          if (substbuf[l-1] != '/') {
--- 2734,2741 ----
          output = pstrdup(r->pool, output+l); 
  
          /* and now add the base-URL as replacement prefix */
!         strncpy(substbuf, subst, sizeof(substbuf)-1);
! 	substbuf[sizeof(substbuf)-1] = '\0';
          /* allways have a trailing slash */
          l = strlen(substbuf);
          if (substbuf[l-1] != '/') {
***************
*** 2806,2812 ****
      char curpath[LONG_STRING_LEN];
      char *cp;
  
!     strcpy(curpath, path);
      if (curpath[0] != '/') 
          return 0;
      if ((cp = strchr(curpath+1, '/')) != NULL)
--- 2844,2851 ----
      char curpath[LONG_STRING_LEN];
      char *cp;
  
!     strncpy(curpath, path, sizeof(curpath)-1);
!     curpath[sizeof(curpath)-1] = '\0';
      if (curpath[0] != '/') 
          return 0;
      if ((cp = strchr(curpath+1, '/')) != NULL)
Index: mod_rewrite.h
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_rewrite.h,v
retrieving revision 1.14
diff -c -r1.14 mod_rewrite.h
*** mod_rewrite.h	1997/01/01 18:10:40	1.14
--- mod_rewrite.h	1997/01/18 07:23:15
***************
*** 333,339 ****
  static void  splitout_queryargs(request_rec *r);
  static void  reduce_uri(request_rec *r);
  static char *expand_tildepaths(request_rec *r, char *uri);
! static void  expand_map_lookups(request_rec *r, char *uri);
  
      /* DBM hashfile support functions */
  static char *lookup_map(request_rec *r, char *name, char *key);
--- 333,339 ----
  static void  splitout_queryargs(request_rec *r);
  static void  reduce_uri(request_rec *r);
  static char *expand_tildepaths(request_rec *r, char *uri);
! static void  expand_map_lookups(request_rec *r, char *uri, int uri_len);
  
      /* DBM hashfile support functions */
  static char *lookup_map(request_rec *r, char *name, char *key);
***************
*** 354,360 ****
  static void  rewritemap_program_child(void *cmd);
  
      /* env variable support */
! static void  expand_variables_inbuffer(request_rec *r, char *buf);
  static char *expand_variables(request_rec *r, char *str);
  static char *lookup_variable(request_rec *r, char *var);
  static char *lookup_header(request_rec *r, const char *name);
--- 354,360 ----
  static void  rewritemap_program_child(void *cmd);
  
      /* env variable support */
! static void  expand_variables_inbuffer(request_rec *r, char *buf, int buf_len);
  static char *expand_variables(request_rec *r, char *str);
  static char *lookup_variable(request_rec *r, char *var);
  static char *lookup_header(request_rec *r, const char *name);
Index: mod_usertrack.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/mod_usertrack.c,v
retrieving revision 1.7
diff -c -r1.7 mod_usertrack.c
*** mod_usertrack.c	1997/01/01 18:10:42	1.7
--- mod_usertrack.c	1997/01/15 07:25:59
***************
*** 121,128 ****
      cookie_log_state *cls = get_module_config (r->server->module_config,
  					       &usertrack_module);
      struct timeval tv;
!     char *new_cookie = palloc( r->pool, 100);	/* 100 = blurgh */
!     char *cookiebuf = palloc( r->pool, 100);
      char *dot;
      const char *rname = pstrdup(r->pool, 
  		       	    get_remote_host(r->connection, r->per_dir_config,
--- 121,129 ----
      cookie_log_state *cls = get_module_config (r->server->module_config,
  					       &usertrack_module);
      struct timeval tv;
!     /* 1024 == hardcoded constants */
!     char *new_cookie = palloc( r->pool, 1024);	
!     char *cookiebuf = palloc( r->pool, 1024);
      char *dot;
      const char *rname = pstrdup(r->pool, 
  		       	    get_remote_host(r->connection, r->per_dir_config,
***************
*** 133,139 ****
      if ((dot = strchr(rname,'.'))) *dot='\0';	/* First bit of hostname */
      gettimeofday(&tv, &tz);
  
!     sprintf(cookiebuf, "%s%d%ld%d", rname, (int)getpid(),
  	      (long)tv.tv_sec, (int)tv.tv_usec/1000);	    
  
      if (cls->expires) {
--- 134,140 ----
      if ((dot = strchr(rname,'.'))) *dot='\0';	/* First bit of hostname */
      gettimeofday(&tv, &tz);
  
!     ap_snprintf(cookiebuf, 1024, "%s%d%ld%d", rname, (int)getpid(),
  	      (long)tv.tv_sec, (int)tv.tv_usec/1000);	    
  
      if (cls->expires) {
***************
*** 154,160 ****
        tms = gmtime(&when);
  
        /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */
!       sprintf(new_cookie,
  	   "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
  	      COOKIE_NAME, cookiebuf, days[tms->tm_wday],
  	      tms->tm_mday, month_snames[tms->tm_mon],
--- 155,161 ----
        tms = gmtime(&when);
  
        /* Cookie with date; as strftime '%a, %d-%h-%y %H:%M:%S GMT' */
!       ap_snprintf(new_cookie, 1024,
  	   "%s%s; path=/; expires=%s, %.2d-%s-%.2d %.2d:%.2d:%.2d GMT",
  	      COOKIE_NAME, cookiebuf, days[tms->tm_wday],
  	      tms->tm_mday, month_snames[tms->tm_mon],
***************
*** 162,168 ****
  	      tms->tm_hour, tms->tm_min, tms->tm_sec);
      }
      else
!       sprintf(new_cookie,"%s%s; path=/", COOKIE_NAME, cookiebuf);
  
      table_set(r->headers_out,"Set-Cookie",new_cookie);
      table_set(r->notes, "cookie", cookiebuf); /* log first time */
--- 163,169 ----
  	      tms->tm_hour, tms->tm_min, tms->tm_sec);
      }
      else
!       ap_snprintf(new_cookie, 1024, "%s%s; path=/", COOKIE_NAME, cookiebuf);
  
      table_set(r->headers_out,"Set-Cookie",new_cookie);
      table_set(r->notes, "cookie", cookiebuf); /* log first time */
Index: rfc1413.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/rfc1413.c,v
retrieving revision 1.7
diff -c -r1.7 rfc1413.c
*** rfc1413.c	1997/01/01 18:10:43	1.7
--- rfc1413.c	1997/01/18 07:45:12
***************
*** 143,149 ****
  	return -1;
  
  /* send the data */
!     sprintf(buffer, "%u,%u\r\n", ntohs(rmt_sin->sin_port),
  	    ntohs(our_sin->sin_port));
      do i = write(sock, buffer, strlen(buffer));
      while (i == -1 && errno == EINTR);
--- 143,149 ----
  	return -1;
  
  /* send the data */
!     ap_snprintf(buffer, sizeof(buffer), "%u,%u\r\n", ntohs(rmt_sin->sin_port),
  	    ntohs(our_sin->sin_port));
      do i = write(sock, buffer, strlen(buffer));
      while (i == -1 && errno == EINTR);
Index: util.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/util.c,v
retrieving revision 1.39
diff -c -r1.39 util.c
*** util.c	1997/01/10 11:43:08	1.39
--- util.c	1997/01/15 07:32:22
***************
*** 95,101 ****
      tms = gmtime(&sec);
  
  /* RFC date format; as strftime '%a, %d %b %Y %T GMT' */
!     sprintf(ts, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", days[tms->tm_wday],
  	    tms->tm_mday, month_snames[tms->tm_mon], tms->tm_year + 1900,
  	    tms->tm_hour, tms->tm_min, tms->tm_sec);
  
--- 95,102 ----
      tms = gmtime(&sec);
  
  /* RFC date format; as strftime '%a, %d %b %Y %T GMT' */
!     ap_snprintf(ts, sizeof(ts), 
! 	    "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", days[tms->tm_wday],
  	    tms->tm_mday, month_snames[tms->tm_mon], tms->tm_year + 1900,
  	    tms->tm_hour, tms->tm_min, tms->tm_sec);
  
***************
*** 758,769 ****
  }
  
  char *construct_server(pool *p, const char *hostname, int port) {
!     char portnum[10];		/* Long enough.  Really! */
    
      if (port == 80)
  	return (char *)hostname;
      else {
!         sprintf (portnum, "%d", port);
  	return pstrcat (p, hostname, ":", portnum, NULL);
      }
  }
--- 759,771 ----
  }
  
  char *construct_server(pool *p, const char *hostname, int port) {
!     char portnum[22];		
! 	/* Long enough, even if port > 16 bits for some reason */
    
      if (port == 80)
  	return (char *)hostname;
      else {
!         ap_snprintf (portnum, sizeof(portnum), "%d", port);
  	return pstrcat (p, hostname, ":", portnum, NULL);
      }
  }
***************
*** 1307,1313 ****
      int offset;
  
      offset = 0;
!     for (loop=0; loop < (strlen(path) + 1); loop++) {
          if (path[loop] == '/') {
              newpath[offset] = '\\';
              /*
--- 1309,1315 ----
      int offset;
  
      offset = 0;
!     for (loop=0; loop < (strlen(path) + 1) && loop < sizeof(newpath)-1; loop++) {
          if (path[loop] == '/') {
              newpath[offset] = '\\';
              /*
Index: util_script.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/util_script.c,v
retrieving revision 1.40
diff -c -r1.40 util_script.c
*** util_script.c	1997/01/16 07:57:29	1.40
--- util_script.c	1997/01/18 07:50:28
***************
*** 93,98 ****
--- 93,99 ----
  	av[idx] = escape_shell_cmd(r->pool, t);
  	av[idx] = t;
  	idx++;
+ 	if (idx >= APACHE_ARG_MAX-1) break;
  	
  	while ((t = strtok(NULL, "+")) != NULL) {
  	    unescape_url(t);
***************
*** 100,111 ****
  	    av[idx] = escape_shell_cmd(r->pool, t);
  	    av[idx] = t;
  	    idx++;
  	}
  	va_end(args);
      }
      va_end(args);
  
!     av[idx] = NULL;
      return av;
  }
  
--- 101,113 ----
  	    av[idx] = escape_shell_cmd(r->pool, t);
  	    av[idx] = t;
  	    idx++;
+ 	    if (idx >= APACHE_ARG_MAX-1) break;
  	}
  	va_end(args);
      }
      va_end(args);
  
!     av[idx] = '\0';
      return av;
  }
  
***************
*** 177,183 ****
  	    table_set (e, http2env (r->pool, hdrs[i].key), hdrs[i].val);
      }
      
!     sprintf(port, "%d", s->port);
  
      if(!(env_path = getenv("PATH")))
          env_path=DEFAULT_PATH;
--- 179,185 ----
  	    table_set (e, http2env (r->pool, hdrs[i].key), hdrs[i].val);
      }
      
!     ap_snprintf(port, sizeof(port), "%d", s->port);
  
      if(!(env_path = getenv("PATH")))
          env_path=DEFAULT_PATH;
***************
*** 193,199 ****
      table_set (e, "SERVER_ADMIN", s->server_admin); /* Apache */
      table_set (e, "SCRIPT_FILENAME", r->filename); /* Apache */
      
!     sprintf(port, "%d", ntohs(c->remote_addr.sin_port));
      table_set (e, "REMOTE_PORT", port);            /* Apache */
  
      if (c->user) table_set(e, "REMOTE_USER", c->user);
--- 195,201 ----
      table_set (e, "SERVER_ADMIN", s->server_admin); /* Apache */
      table_set (e, "SCRIPT_FILENAME", r->filename); /* Apache */
      
!     ap_snprintf(port, sizeof(port), "%d", ntohs(c->remote_addr.sin_port));
      table_set (e, "REMOTE_PORT", port);            /* Apache */
  
      if (c->user) table_set(e, "REMOTE_USER", c->user);
***************
*** 389,399 ****
      else if(size < 1024) 
          strcpy(ss, "   1k");
      else if(size < 1048576)
!         sprintf(ss, "%4dk", (size + 512) / 1024);
      else if(size < 103809024)
! 	sprintf(ss, "%4.1fM", size / 1048576.0);
      else
!         sprintf(ss, "%4dM", (size + 524288) / 1048576);
      rputs(ss, r);
  }
  
--- 391,401 ----
      else if(size < 1024) 
          strcpy(ss, "   1k");
      else if(size < 1048576)
!         ap_snprintf(ss, sizeof(ss), "%4dk", (size + 512) / 1024);
      else if(size < 103809024)
! 	ap_snprintf(ss, sizeof(ss), "%4.1fM", size / 1048576.0);
      else
!         ap_snprintf(ss, sizeof(ss), "%4dM", (size + 524288) / 1048576);
      rputs(ss, r);
  }
  
***************
*** 473,479 ****
          program = fopen (r->filename, "r");
          if (!program) {
              char err_string[HUGE_STRING_LEN];
!             sprintf(err_string, "open of %s failed, errno is %d\n", r->filename, errno);
              /* write(2, err_string, strlen(err_string)); */
              /* exit(0); */
              log_unixerr("fopen", NULL, err_string, r->server);
--- 475,481 ----
          program = fopen (r->filename, "r");
          if (!program) {
              char err_string[HUGE_STRING_LEN];
!             ap_snprintf(err_string, sizeof(err_string), "open of %s failed, errno is %d\n", r->filename, errno);
              /* write(2, err_string, strlen(err_string)); */
              /* exit(0); */
              log_unixerr("fopen", NULL, err_string, r->server);
Index: modules/proxy/proxy_cache.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_cache.c,v
retrieving revision 1.8
diff -c -r1.8 proxy_cache.c
*** proxy_cache.c	1997/01/01 18:20:01	1.8
--- proxy_cache.c	1997/01/18 04:37:25
***************
*** 194,200 ****
      struct gc_ent *fent;
      int nfiles=0;
  
!     sprintf(cachedir,"%s%s",cachebasedir,cachesubdir);
      Explain1("GC Examining directory %s",cachedir);
      dir = opendir(cachedir);
      if (dir == NULL)
--- 194,200 ----
      struct gc_ent *fent;
      int nfiles=0;
  
!     ap_snprintf(cachedir, sizeof(cachedir), "%s%s",cachebasedir,cachesubdir);
      Explain1("GC Examining directory %s",cachedir);
      dir = opendir(cachedir);
      if (dir == NULL)
***************
*** 251,260 ****
  	    {
  	    char newcachedir[HUGE_STRING_LEN];
  	    close(fd);
! 	    sprintf(newcachedir,"%s%s/",cachesubdir,ent->d_name);
  	    if(!sub_garbage_coll(r,files,cachebasedir,newcachedir))
  		{
! 		sprintf(newcachedir,"%s%s",cachedir,ent->d_name);
  #if TESTING
  		fprintf(stderr,"Would remove directory %s\n",newcachedir);
  #else
--- 251,262 ----
  	    {
  	    char newcachedir[HUGE_STRING_LEN];
  	    close(fd);
! 	    ap_snprintf(newcachedir, sizeof(newcachedir),
! 		"%s%s/",cachesubdir,ent->d_name);
  	    if(!sub_garbage_coll(r,files,cachebasedir,newcachedir))
  		{
! 		ap_snprintf(newcachedir, sizeof(newcachedir), 
! 			"%s%s",cachedir,ent->d_name);
  #if TESTING
  		fprintf(stderr,"Would remove directory %s\n",newcachedir);
  #else
***************
*** 383,389 ****
  	if (q == NULL)
  	{
  	    p = palloc(pool, 15);
! 	    sprintf(p, "%u", c->len);
  	    proxy_add_header(c->hdrs, "Content-Length", p, HDR_REP);
  	}
      }
--- 385,391 ----
  	if (q == NULL)
  	{
  	    p = palloc(pool, 15);
! 	    ap_snprintf(p, 15, "%u", c->len);
  	    proxy_add_header(c->hdrs, "Content-Length", p, HDR_REP);
  	}
      }
Index: modules/proxy/proxy_ftp.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_ftp.c,v
retrieving revision 1.7
diff -c -r1.7 proxy_ftp.c
*** proxy_ftp.c	1997/01/07 21:51:57	1.7
--- proxy_ftp.c	1997/01/18 08:23:57
***************
*** 158,164 ****
  
  /* now, rebuild URL */
  
!     if (port != DEFAULT_FTP_PORT) sprintf(sport, ":%d", port);
      else sport[0] = '\0';
  
      r->filename = pstrcat(pool, "proxy:ftp://", (user != NULL) ? user : "",
--- 158,164 ----
  
  /* now, rebuild URL */
  
!     if (port != DEFAULT_FTP_PORT) ap_snprintf(sport, sizeof(sport), ":%d", port);
      else sport[0] = '\0';
  
      r->filename = pstrcat(pool, "proxy:ftp://", (user != NULL) ? user : "",
***************
*** 221,232 ****
      char buf[IOBUFSIZE];
      char buf2[IOBUFSIZE];
      char *filename;
!     char urlptr[100];
      long total_bytes_sent;
      register int n, o, w;
      conn_rec *con = r->connection;
  
!     sprintf(buf,"<HTML><HEAD><TITLE>%s</TITLE></HEAD><BODY><H1>Directory %s</H1><HR><PRE>", url, url);
      bwrite(con->client, buf, strlen(buf));
      if (f2 != NULL) bwrite(f2, buf, strlen(buf));
      total_bytes_sent=strlen(buf);
--- 221,232 ----
      char buf[IOBUFSIZE];
      char buf2[IOBUFSIZE];
      char *filename;
!     char urlptr[HUGE_STRING_LEN];
      long total_bytes_sent;
      register int n, o, w;
      conn_rec *con = r->connection;
  
!     ap_snprintf(buf, sizeof(buf), "<HTML><HEAD><TITLE>%s</TITLE></HEAD><BODY><H1>Directory %s</H1><HR><PRE>", url, url);
      bwrite(con->client, buf, strlen(buf));
      if (f2 != NULL) bwrite(f2, buf, strlen(buf));
      total_bytes_sent=strlen(buf);
***************
*** 248,256 ****
              do filename--; while (filename[0]!=' ');
              *(filename++)=0;
              *(link++)=0;
!             sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
!             sprintf(buf2, "%s <A HREF=\"%s\">%s %s</A>\015\012", buf, urlptr, filename, link);
!             strcpy(buf, buf2);
              n=strlen(buf);
          }
          else if(buf[0]=='d' || buf[0]=='-' || buf[0]=='l')
--- 248,257 ----
              do filename--; while (filename[0]!=' ');
              *(filename++)=0;
              *(link++)=0;
!             ap_snprintf(urlptr, sizeof(urlptr), "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
!             ap_snprintf(buf2, sizeof(urlptr), "%s <A HREF=\"%s\">%s %s</A>\015\012", buf, urlptr, filename, link);
!             strncpy(buf, buf2, sizeof(buf)-1);
! 	    buf[sizeof(buf)-1] = '\0';
              n=strlen(buf);
          }
          else if(buf[0]=='d' || buf[0]=='-' || buf[0]=='l')
***************
*** 261,268 ****
              /* Special handling for '.' and '..' */
              if (!strcmp(filename, "."))
              {
!                 sprintf(urlptr, "%s",url);
!                 sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
              else if (!strcmp(filename, ".."))
              {
--- 262,269 ----
              /* Special handling for '.' and '..' */
              if (!strcmp(filename, "."))
              {
!                 ap_snprintf(urlptr, sizeof(urlptr), "%s",url);
!                 ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
              else if (!strcmp(filename, ".."))
              {
***************
*** 270,276 ****
                  char newpath[200];
                  char *method, *host, *path, *newfile;
     
!                 strcpy(temp,url);
                  method=temp;
  
                  host=strchr(method,':');
--- 271,278 ----
                  char newpath[200];
                  char *method, *host, *path, *newfile;
     
!                 strncpy(temp, url, sizeof(temp)-1);
! 		temp[sizeof(temp)-1] = '\0';
                  method=temp;
  
                  host=strchr(method,':');
***************
*** 282,301 ****
                  if (path == NULL) path="";
                  else *(path++)=0;
                  
!                 strcpy(newpath,path);
                  newfile=strrchr(newpath,'/');
                  if (newfile) *(newfile)=0;
                  else newpath[0]=0;
  
!                 sprintf(urlptr,"%s://%s/%s",method,host,newpath);
!                 sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
              else 
              {
!                 sprintf(urlptr, "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
!                 sprintf(buf2, "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
!             strcpy(buf, buf2);
              n=strlen(buf);
          }      
  
--- 284,305 ----
                  if (path == NULL) path="";
                  else *(path++)=0;
                  
!                 strncpy(newpath, path, sizeof(newpath)-1);
! 		newpath[sizeof(newpath)-1] = '\0';
                  newfile=strrchr(newpath,'/');
                  if (newfile) *(newfile)=0;
                  else newpath[0]=0;
  
!                 ap_snprintf(urlptr, sizeof(urlptr), "%s://%s/%s",method,host,newpath);
!                 ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
              else 
              {
!                 ap_snprintf(urlptr, sizeof(urlptr), "%s%s%s",url,(url[strlen(url)-1]=='/' ? "" : "/"), filename);
!                 ap_snprintf(buf2, sizeof(buf2), "%s <A HREF=\"%s\">%s</A>\015\012", buf, urlptr, filename);
              }
!             strncpy(buf, buf2, sizeof(buf));
! 	    buf[sizeof(buf)-1] = '\0';
              n=strlen(buf);
          }      
  
***************
*** 314,320 ****
              o+=w;
          }
      }
!     sprintf(buf,"</PRE><HR><I><A HREF=\"http://www.apache.org\">%s</A></I></BODY></HTML>", SERVER_VERSION);
      bwrite(con->client, buf, strlen(buf));
      if (f2 != NULL) bwrite(f2, buf, strlen(buf));
      total_bytes_sent+=strlen(buf);
--- 318,324 ----
              o+=w;
          }
      }
!     ap_snprintf(buf, sizeof(buf), "</PRE><HR><I><A HREF=\"http://www.apache.org\">%s</A></I></BODY></HTML>", SERVER_VERSION);
      bwrite(con->client, buf, strlen(buf));
      if (f2 != NULL) bwrite(f2, buf, strlen(buf));
      total_bytes_sent+=strlen(buf);
***************
*** 660,666 ****
          {
  	    char buff[22];
  
! 	    sprintf(buff, "%s:%d", inet_ntoa(server.sin_addr), server.sin_port);
  	    proxy_log_uerror("bind", buff,
  	        "proxy: error binding to ftp data socket", r->server);
      	    pclosef(pool, sock);
--- 664,670 ----
          {
  	    char buff[22];
  
! 	    ap_snprintf(buff, sizeof(buff), "%s:%d", inet_ntoa(server.sin_addr), server.sin_port);
  	    proxy_log_uerror("bind", buff,
  	        "proxy: error binding to ftp data socket", r->server);
      	    pclosef(pool, sock);
Index: modules/proxy/proxy_http.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_http.c,v
retrieving revision 1.12
diff -c -r1.12 proxy_http.c
*** proxy_http.c	1997/01/07 21:51:58	1.12
--- proxy_http.c	1997/01/18 04:44:20
***************
*** 100,106 ****
      } else
  	search = NULL;
  
!     if (port != def_port) sprintf(sport, ":%d", port);
      else sport[0] = '\0';
  
      r->filename = pstrcat(r->pool, "proxy:", scheme, "://", host, sport, "/",
--- 100,106 ----
      } else
  	search = NULL;
  
!     if (port != def_port) ap_snprintf(sport, sizeof(sport), ":%d", port);
      else sport[0] = '\0';
  
      r->filename = pstrcat(r->pool, "proxy:", scheme, "://", host, sport, "/",
Index: modules/proxy/proxy_util.c
===================================================================
RCS file: /home/marcs/archive/apache/cvs/apache/src/modules/proxy/proxy_util.c,v
retrieving revision 1.6
diff -c -r1.6 proxy_util.c
*** proxy_util.c	1997/01/01 18:20:03	1.6
--- proxy_util.c	1997/01/18 04:45:30
***************
*** 297,303 ****
      if (mon == 12) return x;
  
      if (strlen(x) < 31) x = palloc(p, 31);
!     sprintf(x, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", wday[wk], mday,
  	    months[mon], year, hour, min, sec);
      return x;
  }
--- 297,303 ----
      if (mon == 12) return x;
  
      if (strlen(x) < 31) x = palloc(p, 31);
!     ap_snprintf(x, strlen(x)+1, "%s, %.2d %s %d %.2d:%.2d:%.2d GMT", wday[wk], mday,
  	    months[mon], year, hour, min, sec);
      return x;
  }


Mime
View raw message