> I did not remove your patch, I am merely looking for some other opinions.
So am I. Where are they? > Have you so soon forgotten that this bug has been in the codebase for > over 4 years? Common sense tells us that this big of a fuckup needs to > be thoroughly reviewed, and by someone other than the original author. What kind of nonsense is that? The fuckup is obvious once someone says "hey, it's not protecting against overflow into the signed bit." The fix for that is trivial. The hard part was seeing the tree within the forest, and then figuring out how they used it to create an exploit. But that must not prevent us from plugging the hole once it is pointed out. I know exactly how the hole in the code was introduced -- I remember when it happened and why there wasn't enough review of the code. I also know that I reviewed that code dozens of times since then and never saw this particular condition. Shit happens. Nevertheless, I also know when to put aside ego and let the bugs be fixed as soon as possible. Our rule is that if an exploit script is published, then nothing else is more important than getting a patch up that plugs the exploit on all releases. >> My patch does fix the problem, certainly far better than no patch at all. >> If you disagree, then tell me why it doesn't fix the problem. If all you >> are going to do is pontificate about the subject without taking the five >> minutes necessary to review the change > > There's no way that I would be comfortable with a patch to fix a problem > of this magnitude after only 5 minutes, especially after spending so > many hours trying to understand the ramifications of the gobbles exploit. How can you not feel comfortable about it after 5 minutes? The ramifications of the gobbles exploit are completely irrelevant to stopping the gobbles exploit. The ramifications were already published. Stopping the exploit only requires one conditional pre-1.3.24. Even if, by some strange freak of nature, there exists some other exploit of a related nature, it is still absolutely necessary that we provide a patch that allows our users to stop the script kiddies from using the gobbles exploit ASAP. That was done for the current version of httpd (a much harder task) and would have been done for all Apache httpd as of Friday if some idiot hadn't removed my patch without telling me. I don't mind that some people here don't have enough experience with Apache 1.2.x and 1.3.x to feel comfortable about preparing such a patch. I wouldn't feel comfortable preparing one for 2.0.x filters. What I do mind is some people feeling that I should sit on my thumb and wait for them to decide, if they ever find the time to get around to it, whether or not I know enough about C programming and http_protocol.c to provide an adequate patch. I've earned the right to be given the benefit of the doubt, just as you have earned the right to veto the patch based on TECHNICAL reasons after you've taken the time to review it and supplied an alternative. ....Roy
