httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: 1.3b7
Date Tue, 12 May 1998 08:52:39 GMT
Brian Behlendorf wrote:
> >
> >     * SECURITY: check if the magic con/aux/nul/etc names do anything
> >         really bad
> Discussion on this died down; when we last left it, I wondered aloud
> whether the device-checking patch which was applied last week solved this
> problem.

Ah, yes - I was halfway through testing that, when I suddenly had to
spend my time making the blasted thing work instead. By the time I had
finished I'd forgotten why I was doing it.

>  This problem continues to exist in theory only - so far no one's
> demonstrated a  concrete example of where the current code has problems.  I
> would like to demote this to an open issue, to be reinstated when someone
> demonstrates a problem.  Anyone opposed?
> >    * SECURITY: numerous uses of strcpy and strcat have potential
> >        for buffer overflow, someone should rewrite or verify
> >        they're safe
> Ben did some protection around the strcpy and strcat uses in util_win32.c.
> There are some other unprotected places in that code,


> and in readdir.c, but
> those uses appear to be covered by proper memory allocation.  I move that
> this be demoted to an open issue.  Again, let me know if you're opposed.



Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|
and Technical Director|Email: |
A.L. Digital Ltd,     |Apache-SSL author
London, England.      |"Apache: TDG"

View raw message