httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Querna" <>
Subject Re: round 2 of mod_authn_mysql
Date Tue, 18 Feb 2003 21:30:18 GMT
DW> mysql_init can return a NULL;  

Added a check for this in 0.0.5 ( now on )

DW> are we sure that mysql_close is 
DW> thread safe ? 

According the MySQL Website and documentaion, only
mysql_real_connect/mysql_connect are not thread safe.

DW> And I'd make the psprintf's into 'psnprintf's with a,
DW> say 1-2k limit as some of the fields may be under potential 
DW> malicious http-wire or .htaccess control (note the NAME_LEN and a 
DW> few others in mysql.h or mysql_com.h); mysql does little checking 
DW> afaik and simply barfs/cores.

I can't find any function called "apr_psnprintf" in the apr documentation, and
grep`ing the APR source I couldn't find it either.  It doesn't look like there
is a apr_psprintf implmetation that checks the size.

DW> this also has another issue; a local user could cause apache to 
DW> create a -lot- of connections to the database with rogue .htaccess 
DW> files. Not sure that that is -really- an issue. But given that 
DW> you've very nicely mutexed all the connects; a simple counter may 
DW> help.

I have added a MYSQL_HARD_MAX_CONNS for a total Hard Max.  Ive set it to 255
for now, as i don't see anyone needing that many concurant mysql connections.
(and if they do, the source is always there) 

DW> init_authn_mysql
DW> 	tmpnam()	-> no error trapping
DW> Trusted Solaris barfed on this without it being clear that this was the
DW> cause of my problem. It also makes a file in some random location; 
DW> did apr_ not have a nice version of it which has some more control 
DW> for the admin over where ? Or was that never written ?

I have added Error Checking to it now.  I haven't seen any APR wrapper for it,
and I am using tmpnam in the same way mod_auth_digest creates its own global
mutex. ( modules/aaa/mod_auth_digest.c - line 329 )

I don't have a Win32 build enviroment for Apache2.1 and mod_authn_mysql, if
anyone could try it out and give me feedback on it, that would be great.

I am still waiting to hear anything from regarding the
licensing issues of linking to the libmysqlclient. I would like to get them
sorted out soon.

thank you for the comments.


View raw message