httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: a question
Date Mon, 05 Apr 1999 03:17:47 GMT


On Wed, 31 Mar 1999, Ralf S. Engelschall wrote:

> 
> In article <Pine.LNX.4.04.9903310457120.4208-100000@hades.riverstyx.net> you wrote:
> 
> > I'm wondering, strcpy is replaced by ap_cpystrn (for the various reasons
> > listed in ap_cpystrn.c).  What's the "right" (Apache) way to strcat?  Do
> > y'all care?
> 
> Isn't ap_pstrcat() what you want? 

If you're doing a fixed number of strcat's then... sure I guess it's OK.
But .*strn?cat are O(n^2) problems waiting to happen... if you look back
at what we had to fix for the O(n^2) attacks, a lot of them were
ap_pstrcat calls.

Just make sure your call to ap_pstrcat()  (or strcat() if you're using it)
can't be executed an arbitrary number of times.

Look at ap_array_pstrcat for an example that's essentially O(n), there's a
few examples of its use. 

Dean



Mime
View raw message