httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@apache.org>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Mon, 24 Jun 2002 00:09:05 GMT
I have re-uploaded a patch to fix the problem on all versions of
httpd 1.2.0 through 1.3.22.  This time I added the four lines that
check for a negative return value from atol, even though there has
been no evidence of any such error in the standard C libraries.

To the person who deleted my prior patch: You just wasted
my Sunday afternoon.  Even if the patch didn't, by some stretch of
your imagination, suffice for the broken atol case, you prevented
people from protecting themselves against a published exploit script
that doesn't even use content-length as an attack.  Do not remove
my patch unless you replace it with a better fix that is known to
apply for that version and compile on all platforms.

-1 to any additions of ap_strtol to prior versions of Apache.
That introduced more problems than it fixed.  There is no reason
to work around the operating system when a simple fix to our own
code is necessary and sufficient to solve the problem.


Roy T. Fielding, Chairman, The Apache Software Foundation
                  (fielding@apache.org)  <http://www.apache.org/>


Mime
View raw message