httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Mon, 24 Jun 2002 03:20:23 GMT
> I don't remember seeing any +1's for this patch on the list.

I don't remember needing any.  There were no -1 with explanations.
There certainly hasn't been any effort spent, aside from my own, to
address the needs of those who cannot upgrade.  You guys punted, so
I picked up the ball and finished the task.  Somebody has to do it.
I refuse to consider votes based on "I haven't looked at it yet."

> Please remove this patch until one can be made that addresses the same
> issues with the proxy code (which also uses get_chunk_size()).

No.  Aaron, use your brain.  First, the proxy code that implemented chunked
reading was introduced after 1.3.22 (hence my NUMEROUS comments to the 
that it wasn't applicable).  Second, the bogus type casts were not present
until after 1.3.22.  Third, the pointless ap_strtol addition was only done
because someone wanted to check the errno field, which is totally
irrelevant to the security hole itself.

My patch does fix the problem, certainly far better than no patch at all.
If you disagree, then tell me why it doesn't fix the problem.  If all you
are going to do is pontificate about the subject without taking the five
minutes necessary to review the change, then piss off.


View raw message