Return-Path: <new-httpd-owner-new-httpd-archive=hyperreal.org@apache.org>
Delivered-To: new-httpd-archive@hyperreal.org
Received: (qmail 18518 invoked by uid 6000); 4 May 1998 04:10:20 -0000
Received: (qmail 18510 invoked by uid 24); 4 May 1998 04:10:19 -0000
Message-Id: <3.0.3.32.19980503210924.007bce60@hyperreal.org>
X-Sender: brian@hyperreal.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 03 May 1998 21:09:24 -0700
To: new-httpd@apache.org
From: Brian Behlendorf <brian@hyperreal.org>
Subject: security fixes in 1.2.5's proxy_util?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

So in STATUS we have:

    * proxy security fixes from 1.2.5 need to be brought forward
       Jim: What are these?

The only security-related fix I can see in the 1.2.x series in the proxy
code is from proxy_util.c:

  http://www.apache.org/websrc/cvsweb.cgi/apache-
1.2/src/modules/proxy/proxy_util.c.diff?r1=1.17&r2=1.17.2.1

In which we see the following code snippet introduced:

+    if (strlen(x)+1 < 30) {
+        x = palloc(p, 30);
+    }

Yet in 1.3's proxy_util.c we see:

    if (strlen(x) < 30)
        x = ap_palloc(p, 30);

I have a hunch that the 1.2.5 code is correct, and the 1.3 code has an
off-by-one error, since strlen() doesn't count the null() at the end of the
string, whereas it's necessary to count it for palloc() and snprintf().
But then again I'm not sure why we're measuring it if we're just trashing
it later.... do we even need that if()?

	Brian


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
pure chewing satisfaction                                  brian@apache.org
                                                        brian@hyperreal.org