Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1995_1

Bugtraq archives for 1st quarter (Jan-Mar) 1995: Re: Fixing the NCSA HTTPD 1.3 (fwd)

Re: Fixing the NCSA HTTPD 1.3 (fwd)

Thomas Lopatic (lopaticdbs.informatik.uni-muenchen.de)
Thu, 16 Feb 1995 10:57:56 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jake Hill: "NCSA httpd holes also in 1.2"
Previous message: Everett F Batey WA6CRE: "For NCSA Http_1.05a"

Hi there,

> > 2. have getline() read only 1000 characters instead of HUGE_STRING_LEN
> >    (file http_request.c: getline(l,HUGE_STRING_LEN/4,in,timeout) instead
> >     of getline(l,HUGE_STRING_LEN,in,timeout))
> 
> I don't see any obvious problems with it (then again, I'm no expert on 
> NCSA's code) but I'm curious: is there any rationale behind the magic 
> number 4 here, or is that an essentially arbitrary decision?

it is an arbitrary decision to introduce some security in case I've missed
something in the code of the HTTPD. I think it should be enough just to
make HUGE_STRING_LEN and MAX_STRING_LEN have the same value. Maybe my approach
was a bit paranoid. If you need URLs larger than 1000 chars you might want
to increase the buffer sizes. These are pretty much arbitrary as well. Sorry
for not saying so in the posting.

Greetings,
-Thomas

-- 
Thomas Lopatic                               lopaticinformatik.uni-muenchen.de

Next message: Jake Hill: "NCSA httpd holes also in 1.2"
Previous message: Everett F Batey WA6CRE: "For NCSA Http_1.05a"