httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: snprintf()
Date Wed, 08 Jan 1997 03:54:52 GMT
On Tue, 7 Jan 1997, sameer wrote:
> 	This is true, but the buffer overflow is a BUG. It MUST BE
> FIXED.  I will veto any full release that doesn't have fixes to the
> problems Mr. Slemko (I forgot his first name, sorry =) found.  

I agree.  And I think our record over the last few beta cycles has been fine in
regards to the "introducing features during feature freeze" department.  Other
than the proxy stuff which Chuck has been working on, syncing with ralf's
mod_rewrite and portability enhancements, the only non-bug-fixes
have been:

1.2b4: 

  *) OS/2 changes to support an MMAP style scoreboard file and UNIX
     style magic #! token for better script portability. [Garey Smiley]

1.2b3: 

  *) Add set_flag_slot() at the request of Dirk and others.
     [Dirk vanGulik]

  *) Add "Authoritative" directive for Auth modules that don't
     currently have it. This gives admin control to assign authoritative
     control to an authentication scheme and allow "fall through" for
     those authentication modules that aren't "Authoritative" thereby
     allowing multiple authentication mechanisms to be chained.
     [Dirk vanGulik]

  *) Remove requirement for ResourceConfig/AccessConfig if not using
     the three config file layout. [Randy Terbush]

  *) Add FILEPATH_INFO variable to CGI environment, which is equal to
     PATH_INFO from previous versions of Apache (in certain situations,
     Apache 1.2's PATH_INFO will be different than 1.1's). [Alexei Kosut]

  *) Add rwrite() function to API to allow for sending strings of
     arbitrary length. [Doug MacEachern]


And then there's the header-parse API enhancement, which I also support.  To
say we're adding more features now than before b1 isn't quite fair, but I agree
we do need to wrap this up. 

Let's put the bounds-checking stuff in (hopefully we don't need a full
regex-style library to do this, do we??!?!) because we don't need to be the
Berkeley Sendmail of the web server market, and let's thank our lucky stars we
have folks like Marc Slemko focusing on security issues.

</soapbox>

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message