httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Bannert <aa...@clove.org>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Mon, 24 Jun 2002 04:53:19 GMT
On Sun, Jun 23, 2002 at 08:20:23PM -0700, Roy Fielding wrote:
> >I don't remember seeing any +1's for this patch on the list.
> 
> I don't remember needing any.  There were no -1 with explanations.
> There certainly hasn't been any effort spent, aside from my own, to
> address the needs of those who cannot upgrade.  You guys punted, so
> I picked up the ball and finished the task.  Somebody has to do it.
> I refuse to consider votes based on "I haven't looked at it yet."

I did not remove your patch, I am merely looking for some other opinions.

Have you so soon forgotten that this bug has been in the codebase for
over 4 years? Common sense tells us that this big of a fuckup needs to
be thoroughly reviewed, and by someone other than the original author.

> My patch does fix the problem, certainly far better than no patch at all.
> If you disagree, then tell me why it doesn't fix the problem.  If all you
> are going to do is pontificate about the subject without taking the five
> minutes necessary to review the change

There's no way that I would be comfortable with a patch to fix a problem
of this magnitude after only 5 minutes, especially after spending so
many hours trying to understand the ramifications of the gobbles exploit.

> , then piss off.

Turning this personal doesn't make your code any better.

-aaron

Mime
View raw message