[Previous] [Next] [Index]
[Thread]
re:ncsa security problems
On Thu, 13 Apr 1995, Scott Powers wrote:
> Have _you_ looked at the cern code? For one, it is huge. For two, it is
> spaghetti. It is very difficult code to read which is for the most part
> completely undocumented. Kudos to whomever does check it out _and_ can stand
> by his/her word that it is completely safe.
I'd have let your comments go if you didn't take this shot at the CERN
server. I'm sorry, but you are living in fantasyland if you think NCSA
httpd is less spaghetti than CERN. And comments? Let's look at a sample
function from NCSA:
for(x=0;x<num_sec;x++) {
if(is_matchexp(sec[x].d)) {
if(!strcmp_match(path,sec[x].d)) {
for(y=0;y<num_dirs;y++) {
if(!(sec[x].opts & OPT_UNSET))
opts[y] = sec[x].opts;
override[y] = sec[x].override;
}
}
check_dir_access(x,m,&will_allow,&need_auth);
}
else if(!strncmp(path,sec[x].d,strlen(sec[x].d))) {
for(y=count_dirs(sec[x].d) - 1;y<num_dirs;y++) {
if(!(sec[x].opts & OPT_UNSET))
opts[y] = sec[x].opts;
override[y] = sec[x].override;
}
check_dir_access(x,m,&will_allow,&need_auth);
}
}
C makes both whitespace and comments optional, but that doesn't make it a
good idea. By the way, counting both c and header files, there are 6764
lines of code in httpd1.3R, and all of 218 comments. That doesn't mean
anything in and of itself, until you look at the code.
CERN has 20036 lines of code and 1737 comments, which is a three times
better ratio. It also has much better debugging support.
Neither server is going to win any clean code competitions. That is
fine, neither costs any money either. But do not go making comments
about CERN's server that apply as much or more to NCSA's, unless you wish
to appear too close to the situation.
In my professional opinion at this time, CERN is more secure than NCSA.
But both surely have holes.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
Follow-Ups:
References: