httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Mon, 24 Jun 2002 02:27:53 GMT
On Sun, Jun 23, 2002 at 05:09:05PM -0700, Roy Fielding wrote:
> I have re-uploaded a patch to fix the problem on all versions of
> httpd 1.2.0 through 1.3.22.  This time I added the four lines that
> check for a negative return value from atol, even though there has
> been no evidence of any such error in the standard C libraries.
> 
> To the person who deleted my prior patch: You just wasted
> my Sunday afternoon.  Even if the patch didn't, by some stretch of
> your imagination, suffice for the broken atol case, you prevented
> people from protecting themselves against a published exploit script
> that doesn't even use content-length as an attack.  Do not remove
> my patch unless you replace it with a better fix that is known to
> apply for that version and compile on all platforms.
> 
> -1 to any additions of ap_strtol to prior versions of Apache.
> That introduced more problems than it fixed.  There is no reason
> to work around the operating system when a simple fix to our own
> code is necessary and sufficient to solve the problem.


I don't remember seeing any +1's for this patch on the list.

Please remove this patch until one can be made that addresses the same
issues with the proxy code (which also uses get_chunk_size()).

-aaron

Mime
View raw message