On Mon, 27 Jan 2003, Thomas Eibner wrote: > > On Mon, Jan 27, 2003 at 02:45:13PM +0000, Matt Sergeant wrote: > > On Mon, 27 Jan 2003, Thomas Eibner wrote: > > > > > So, because a programmer doesn't check the validity of the input he gets > > > it's a bug that should be fixed in Apache? Maybe someone should make > > > sure that the same thing can't happen with allowing CGI input going > > > straight into a form.. oh wait. > > > I don't see anyone from dev@httpd wanting to "fix" this bogus error when > > > it's really just doing what the programmer wants to do (when he is not > > > validating the input). > > > > The programmer wants to output a header. If he accidentally tries to > > output something thats not a header he actually ends up outputting body. > > Thats a bug. > > I can see the validity of your point, but it's still a programmer error. > The same thing could happen if you did this as plain CGI and outputted > something you weren't supposed to do. We have full access to the API and > can do whatever we want (both in Perl and C), that doesn't mean we should > let our guards down. I still don't consider this a serious problem :)
I guess it depends which school of thought you come from - that the programmer is stupid for not having checks in every inch of his code, or that if we can, and if it has little impact, then we should do some checks to stop the programmer hurting himself. Anyway the main reason for doing this is there's no other way. Since headers_out is just a plain table object, and there are no "setter" hooks for tables, so I couldn't do it in mod_perl space. And I couldn't do it in AxKit space, so I had to patch Apache, which has a single exit point for all headers. I find it quite disappointing that people don't support fixing security issues here :-/ -- <!-- Matt --> <:->get a SMart net</:-> Spam trap - do not mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
