Brian Pane wrote:
+1 for the patch in 2.0.44.
thanks!
Longer term, a better solution might be able to fix the problemI was thinking that the length limit worked, but then ap_escape_html went nuts due to the lack of a null in the buffer.
closer to its source. I'm assuming, based on the code, that the
problem only occurs when the "folding" logic in ap_get_mime_headers_core
is invoked.
That's the only case I see where the the size of the field can grow arbitrarily large.yikes! Then we should fix that too.
>(If the field is on a single line, its length is limited within ap_rgetline_core.)
But that length limit didn't affect ap_escape_html directly. It assumes its input string is null terminated which may not happen in the error paths. Hence the problem, I think.
I think it would be cleaner to impose the length limit in the folding code. But for now, the current patch is okay.
I'll take a closer look at the dump and see if there's evidence of folding. Thanks much for the review. Greg
