> From: Aaron Bannert [mailto:[EMAIL PROTECTED]] > > On Sun, Jun 23, 2002 at 05:09:05PM -0700, Roy Fielding wrote: > > I have re-uploaded a patch to fix the problem on all versions of > > httpd 1.2.0 through 1.3.22. This time I added the four lines that > > check for a negative return value from atol, even though there has > > been no evidence of any such error in the standard C libraries. > > > > To the person who deleted my prior patch: You just wasted > > my Sunday afternoon. Even if the patch didn't, by some stretch of > > your imagination, suffice for the broken atol case, you prevented > > people from protecting themselves against a published exploit script > > that doesn't even use content-length as an attack. Do not remove > > my patch unless you replace it with a better fix that is known to > > apply for that version and compile on all platforms. > > > > -1 to any additions of ap_strtol to prior versions of Apache. > > That introduced more problems than it fixed. There is no reason > > to work around the operating system when a simple fix to our own > > code is necessary and sufficient to solve the problem. > > > I don't remember seeing any +1's for this patch on the list. > > Please remove this patch until one can be made that addresses the same > issues with the proxy code (which also uses get_chunk_size()).
The proxy didn't use that code until it supported HTTP 1.1, which didn't happen until 1.3.24. Roy is right, removing this patch is completely bogus. Ryan
