httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ryan Bloom" <...@covalent.net>
Subject RE: CAN-2002-0392 : what about older versions of Apache?
Date Sun, 23 Jun 2002 02:58:05 GMT
> From: Aaron Bannert [mailto:aaron@clove.org]
> 
> On Sun, Jun 23, 2002 at 05:09:05PM -0700, Roy Fielding wrote:
> > I have re-uploaded a patch to fix the problem on all versions of
> > httpd 1.2.0 through 1.3.22.  This time I added the four lines that
> > check for a negative return value from atol, even though there has
> > been no evidence of any such error in the standard C libraries.
> >
> > To the person who deleted my prior patch: You just wasted
> > my Sunday afternoon.  Even if the patch didn't, by some stretch of
> > your imagination, suffice for the broken atol case, you prevented
> > people from protecting themselves against a published exploit script
> > that doesn't even use content-length as an attack.  Do not remove
> > my patch unless you replace it with a better fix that is known to
> > apply for that version and compile on all platforms.
> >
> > -1 to any additions of ap_strtol to prior versions of Apache.
> > That introduced more problems than it fixed.  There is no reason
> > to work around the operating system when a simple fix to our own
> > code is necessary and sufficient to solve the problem.
> 
> 
> I don't remember seeing any +1's for this patch on the list.
> 
> Please remove this patch until one can be made that addresses the same
> issues with the proxy code (which also uses get_chunk_size()).

The proxy didn't use that code until it supported HTTP 1.1, which didn't
happen until 1.3.24.  Roy is right, removing this patch is completely
bogus.

Ryan



Mime
View raw message