httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: CAN-2002-0392 : what about older versions of Apache?
Date Tue, 25 Jun 2002 02:04:40 GMT
> I did not remove your patch, I am merely looking for some other opinions.

So am I.  Where are they?

> Have you so soon forgotten that this bug has been in the codebase for
> over 4 years? Common sense tells us that this big of a fuckup needs to
> be thoroughly reviewed, and by someone other than the original author.

What kind of nonsense is that?  The fuckup is obvious once someone says
"hey, it's not protecting against overflow into the signed bit."  The
fix for that is trivial.  The hard part was seeing the tree within the
forest, and then figuring out how they used it to create an exploit.
But that must not prevent us from plugging the hole once it is pointed out.

I know exactly how the hole in the code was introduced -- I remember when
it happened and why there wasn't enough review of the code.  I also know
that I reviewed that code dozens of times since then and never saw this
particular condition.  Shit happens.  Nevertheless, I also know when to
put aside ego and let the bugs be fixed as soon as possible.  Our rule
is that if an exploit script is published, then nothing else is more
important than getting a patch up that plugs the exploit on all releases.

>> My patch does fix the problem, certainly far better than no patch at all.
>> If you disagree, then tell me why it doesn't fix the problem.  If all you
>> are going to do is pontificate about the subject without taking the five
>> minutes necessary to review the change
> There's no way that I would be comfortable with a patch to fix a problem
> of this magnitude after only 5 minutes, especially after spending so
> many hours trying to understand the ramifications of the gobbles exploit.

How can you not feel comfortable about it after 5 minutes?  The 
of the gobbles exploit are completely irrelevant to stopping the gobbles
exploit.  The ramifications were already published.  Stopping the exploit
only requires one conditional pre-1.3.24.  Even if, by some strange freak
of nature, there exists some other exploit of a related nature, it is still
absolutely necessary that we provide a patch that allows our users to stop
the script kiddies from using the gobbles exploit ASAP.  That was done for
the current version of httpd (a much harder task) and would have been done
for all Apache httpd as of Friday if some idiot hadn't removed my patch
without telling me.

I don't mind that some people here don't have enough experience with
Apache 1.2.x and 1.3.x to feel comfortable about preparing such a patch.
I wouldn't feel comfortable preparing one for 2.0.x filters.
What I do mind is some people feeling that I should sit on my thumb and
wait for them to decide, if they ever find the time to get around to it,
whether or not I know enough about C programming and http_protocol.c
to provide an adequate patch.  I've earned the right to be given the
benefit of the doubt, just as you have earned the right to veto the
patch based on TECHNICAL reasons after you've taken the time to review it
and supplied an alternative.


View raw message