httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: [PATCH] fix pcfg_openfile() (was: mod_auth-any/1672: Authentication / .htaccess DoS attack)
Date Thu, 15 Jan 1998 21:17:28 GMT
On Thu, 15 Jan 1998, Martin Kraemer wrote:

> On Thu, Jan 15, 1998 at 02:06:31PM -0700, Marc Slemko wrote:
> > 
> > No, read the first bit.  You trash the request if you don't reach end of
> > line before end of the 8k buffer you read from.
> 
> But suppose you read from /dev/tape, and the first n kilobytes
> indeed look sensible? Say, the tape is filled with 2GB worth of
> newlines?
> 
> I would prefer to check the device first.

But if they create a sparse file then they can do this anyway even if you
do check the device.

I'm not entirely convinced that checking if it is a device avoids all the
problems either.  Say you have a system with any large file on; poof, you
can still use it.  I really have trouble thinking of large world readable
devices that return text.


Mime
View raw message