Re: Fixing the NCSA HTTPD 1.3 (fwd)

Thomas Lopatic (lopatic@dbs.informatik.uni-muenchen.de)
Thu, 16 Feb 1995 10:57:56 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jake Hill: "NCSA httpd holes also in 1.2"
Previous message: Everett F Batey WA6CRE: "For NCSA Http_1.05a"

Hi there,

> > 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN
> >    (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead
> >     of getline(l,HUGE_STRING_LEN,in,timeout))
> 
> I don't see any obvious problems with it (then again, I'm no expert on 
> NCSA's code) but I'm curious: is there any rationale behind the magic 
> number 4 here, or is that an essentially arbitrary decision?

it is an arbitrary decision to introduce some security in case I've missed
something in the code of the HTTPD. I think it should be enough just to
make HUGE_STRING_LEN and MAX_STRING_LEN have the same value. Maybe my approach
was a bit paranoid. If you need URLs larger than 1000 chars you might want
to increase the buffer sizes. These are pretty much arbitrary as well. Sorry
for not saying so in the posting.

Greetings,
-Thomas

-- 
Thomas Lopatic                               lopatic@informatik.uni-muenchen.de

Next message: Jake Hill: "NCSA httpd holes also in 1.2"
Previous message: Everett F Batey WA6CRE: "For NCSA Http_1.05a"