httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Guenter Knauf <fua...@apache.org>
Subject Re: svn commit: r826520 - /httpd/httpd/trunk/support/htdigest.c
Date Sun, 18 Oct 2009 21:20:00 GMT
Hi,
Ruediger Pluem schrieb:
> Why do you think that line should be also 3 * MAX_STRING_LEN?
> I guess currently it can be MAX_STRING_LEN at max because of line
> 256:
> 
>     while (!(get_line(line, http://mail-archives.apache.org/mod_mbox/httpd-dev/200107.mbox/%3Csb52b03e.070@prv-mail20.provo.novell.com%3E
f))) {
> 
> But maybe this should be changed to
> 
> while (!(get_line(line, 3 * MAX_STRING_LEN, f))) {
> 
> as a password line could be up to 2 * MAX_STRING_LEN + length of MD5 hash in hex + 1.

another problem I see here is that MAX_STRING_LEN = 8192 bytes, that
means that already 6*8k are allocated from stack which is a problem at
least on NetWare, as already discussed here back in 2001:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200107.mbox/%3Csb52b03e.070@prv-mail20.provo.novell.com%3E
I think for such things like username, password, realm we dont need to
expect more than 256 bytes, but even if we want to be super-save it
would be enough to reserve 512 bytes; so cant we introduce a new define
like:
#define SMALL_STRING_LEN 256
and use this instead within the auth modules for username, password, realm?
1,5k <-> 48k is a huge difference ...

Gün.



Mime
View raw message