httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@apache.org>
Subject Re: cvs commit: apache-1.3/src/main http_protocol.c
Date Tue, 09 Jul 2002 18:18:01 GMT
WTF?  -1   Jim, that code is doing an error check prior to the
strtol.  It is not looking for the start of the number, but
ensuring that the number is non-negative and all digits prior
to calling the library routine.  A simple check of *lenp would
have been sufficient for the blank case.

I need to go through the other changes as well, so I'll fix it,
but don't release with this code.

....Roy


On Tuesday, July 9, 2002, at 07:47  AM, jim@apache.org wrote:

> jim         2002/07/09 07:47:24
>
>   Modified:    src      CHANGES
>                src/main http_protocol.c
>   Log:
>   Allow for null/all-whitespace C-L fields as we did pre-1.3.26. However,
>   we do not allow for the total bogusness of values for C-L, just this
>   one special case. IMO a C-L field of "iloveyou" is bogus as is one
>   of "123yabbadabbado", which older versions appear to have allowed
>   (and in the 1st case, assume 0 and in the 2nd assume 123). Didn't
>   make sense to make this runtime, but a documented special case
>   instead.
>
>   Revision  Changes    Path
>   1.1836    +8 -0      apache-1.3/src/CHANGES
>
>   Index: CHANGES
>   ===================================================================
>   RCS file: /home/cvs/apache-1.3/src/CHANGES,v
>   retrieving revision 1.1835
>   retrieving revision 1.1836
>   diff -u -r1.1835 -r1.1836
>   --- CHANGES	8 Jul 2002 18:06:54 -0000	1.1835
>   +++ CHANGES	9 Jul 2002 14:47:23 -0000	1.1836
>   @@ -1,5 +1,13 @@
>    Changes with Apache 1.3.27
>
>   +  *) In 1.3.26, a null or all blank Content-Length field would be
>   +     triggered as an error; previous versions would silently ignore
>   +     this and assume 0. As a special case, we now allow this and
>   +     behave as we previously did. HOWEVER, previous versions would
>   +     also silently accept bogus C-L values; We do NOT do that. That
>   +     *is* an invalid value and we treat it as such.
>   +     [Jim Jagielski]
>   +
>      *) Add ProtocolReqCheck directive, which determines if Apache will
>         check for a valid protocol string in the request (eg: HTTP/1.1)
>         and return HTTP_BAD_REQUEST if not valid. Versions of Apache
>
>
>
>   1.324     +8 -2      apache-1.3/src/main/http_protocol.c
>
>   Index: http_protocol.c
>   ===================================================================
>   RCS file: /home/cvs/apache-1.3/src/main/http_protocol.c,v
>   retrieving revision 1.323
>   retrieving revision 1.324
>   diff -u -r1.323 -r1.324
>   --- http_protocol.c	8 Jul 2002 18:06:55 -0000	1.323
>   +++ http_protocol.c	9 Jul 2002 14:47:24 -0000	1.324
>   @@ -2011,10 +2011,16 @@
>            const char *pos = lenp;
>            int conversion_error = 0;
>
>   -        while (ap_isdigit(*pos) || ap_isspace(*pos))
>   +        while (ap_isspace(*pos))
>                ++pos;
>
>            if (*pos == '\0') {
>   +            /* special case test - a C-L field NULL or all blanks is
>   +             * assumed OK and defaults to 0. Otherwise, we do a
>   +             * strict check of the field */
>   +            r->remaining = 0;
>   +        }
>   +        else {
>                char *endstr;
>                errno = 0;
>                r->remaining = ap_strtol(lenp, &endstr, 10);
>   @@ -2023,7 +2029,7 @@
>                }
>            }
>
>   -        if (*pos != '\0' || conversion_error) {
>   +        if (conversion_error) {
>                ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, r,
>                            "Invalid Content-Length");
>                return HTTP_BAD_REQUEST;
>
>
>
>


Mime
View raw message