On 5/18/22 12:19 PM, Stefan Eissing wrote:
> 2022 and we discuss strcasecmp() again?
>
> Background: OpenSSL 3.0.3 added OPENSSL_strcasecmp() and friends and there
> are several issue around their implementation. Up to this version, they
> relied on the POSIX strcasecmp(). Whatever their reasons for their change...
>
> Checking our sources, we have ap_cstr_casecmp() that does the right thing.
> But
> - we do not use it everywhere
> - it is not part of APR which relies on the POSIX strcasecmp(), esp.
> apr_table does.
It is, but it may not be used where it possibly should:
https://apr.apache.org/docs/apr/1.7/group__apr__cstr.html
>
> I want to handshake with you regarding this:
> 1. should we scan our sources for strcasecmp and replace it with
> ap_cstr_casecmp()?
If I remember correctly ap_cstr_casecmp was only designed to be used for
comparisons of HTTP protocol strings as it is locale
agnostic. Hence I am not sure if it is correct to use it everywhere. From the
documentation:
**
* Perform a case-insensitive comparison of two strings @a str1 and @a str2,
* treating upper and lower case values of the 26 standard C/POSIX alphabetic
* characters as equivalent. Extended latin characters outside of this set
* are treated as unique octets, irrespective of the current locale.
Hence it might be wrong to use it in cases where you need to respect the locale.
Regards
RĂ¼diger
