Re: [RELEASE CANDIDATE] libapreq-1.34

2009-01-08 Thread Issac Goldstand 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
 
+1

make, test, install with apache-1.41/perl-5.6.2/mp-1.30

Issac Goldstand wrote:
 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted with
 FireFox 2.0 truncating file uploads in SSL mode.

 Additionally, the memory allocation algorithm for multipart
 requests has been improved.

 Please give the tarball at

 http://www.apache.org/dist/httpd/libapreq/libapreq-1.34.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list at
 apreq-dev@httpd.apache.org

 Thanks, Issac

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iEYEARECAAYFAklmeXgACgkQ7bEFiW+VItiqDQCfaLWzLlAsp4PhT8kfHtqfp6p6
rKgAn06AYDSMXdEe1poRp5VDHeasu5p4
=qfzS
-END PGP SIGNATURE-

Re: [RELEASE CANDIDATE] libapreq-1.34

2009-01-08 Thread Issac Goldstand 
That's 3 +1s.  Uploading to CPAN and announcing... 

Issac Goldstand wrote:
 +1

 make, test, install with apache-1.41/perl-5.6.2/mp-1.30

 Issac Goldstand wrote:
  The apreq developers are planning a maintenance release of
  libapreq1.  This version primarily addresses an issue noted with
  FireFox 2.0 truncating file uploads in SSL mode.

  Additionally, the memory allocation algorithm for multipart
  requests has been improved.

  Please give the tarball at

  http://www.apache.org/dist/httpd/libapreq/libapreq-1.34.tar.gz

  a try and report comments/problems/etc. to the apreq-dev list at
  apreq-dev@httpd.apache.org

  Thanks, Issac

Re: [RELEASE CANDIDATE] libapreq-1.34

2009-01-08 Thread Joe Schaefer 
+1, tests and installs cleanly on Debian-testing
with apache 1.3.41 and mod_perl 1.30 and perl 5.8.x.



- Original Message 
 From: Issac Goldstand mar...@beamartyr.net
 To: APREQ List apreq-...@httpd.apache.org
 Sent: Thursday, January 8, 2009 11:35:22 AM
 Subject: [RELEASE CANDIDATE] libapreq-1.34
 
 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.
 
 Additionally, the memory allocation algorithm for multipart
 requests has been improved.
 
 Please give the tarball at
 
 http://www.apache.org/dist/httpd/libapreq/libapreq-1.34.tar.gz
 
 a try and report comments/problems/etc. to the apreq-dev list
 at apreq-...@httpd.apache.org
 
 Thanks,
 Issac

RE: [RELEASE CANDIDATE] libapreq 1.34-RC4

2009-01-07 Thread Steve Hay 
I didn't vote because AFAIK I don't actually have a vote. I have commit
access, but I'm not a PMC member and therefore have no vote. Is that
correct?
 

-Original Message-
From: Issac Goldstand [mailto:mar...@beamartyr.net] 
Sent: 07 January 2009 13:24
Cc: APREQ List
Subject: Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

*ping*

I don't actually see a vote from Steeve - just an advisory that it seems
OK.  I did vote +1, and am ready to roll (after having a baby boy +
getting the flu twice; it's been a busy month ;)) as soon as I see a 3rd
binding vote.

Since steevehay does seem positive, I'm going to start tagging and
rolling, but won't upload or announce until I formally close the vote

  Issac

Philip M. Gollucci wrote:
 Philip M. Gollucci wrote:
 Issac Goldstand wrote:
 http://people.apache.org/~issac/libapreq-1.34-RC4.tar.gz
 Unit tests blow up spectacularly on solaris 2.10 but I don't think we

 support that and is related to Request.so failing to load.

 It does compile.

 I'll get a freebsd test for some sanity in the nearish future here.

 I wouldn't worry about the solaris blow ups (1.33 doesn't work
either)


 Nothing liked getting pissed off to get things to work.
 (I believe the only difference I did was -httpd vs -apxs)

 All tests successful.
 Files=4, Tests=25,  3 wallclock secs ( 1.22 cusr +  0.17 csys =  1.39 
 CPU)

 Solaris 2.10
 apache 1.3.41
 mod_perl 1.30
 perl 5.8.8

 so thats a +1

 Neither of Steve's changes are to apreq itself so they don't block the

 release.

 +1: stevenhay, pgollucci
 +0:
 -0:
 -1:

 ISSAC did you vote ? if you do we get the required votes.

 If do the release, make sure you send the e-mails from an @apache.org 
 e-mail.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

2009-01-07 Thread Philip M. Gollucci 

Steve Hay wrote:

I didn't vote because AFAIK I don't actually have a vote. I have commit
access, but I'm not a PMC member and therefore have no vote. Is that
correct?

You're not ? mumble grumble.


--

1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354
Consultant  - P6M7G8 Inc.http://p6m7g8.net
Director IT - RideCharge, Inc.   http://ridecharge.com
Contractor  - PositiveEnergyUSA  http://positiveenergyusa.com
ASF Member  - Apache Software Foundation http://apache.org
FreeBSD Committer   - FreeBSD Foundation http://freebsd.org

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

2009-01-07 Thread Joe Schaefer 
- Original Message 

 From: Steve Hay steve...@planit.com
 To: Issac Goldstand mar...@beamartyr.net
 Cc: APREQ List apreq-dev@httpd.apache.org
 Sent: Wednesday, January 7, 2009 8:54:48 AM
 Subject: RE: [RELEASE CANDIDATE] libapreq 1.34-RC4
 
 I didn't vote because AFAIK I don't actually have a vote. I have commit
 access, but I'm not a PMC member and therefore have no vote. Is that
 correct?

Everybody gets a vote ;-), but the ones that count towards
the release requirements come from the httpd PMC.

Here's my +1 for release Issac.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

2009-01-07 Thread Philip M. Gollucci 

Issac Goldstand wrote:

Yay! That makes just a 1.5 year release cycle ;)

Me. Thought i might be slow.

--

1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollu...@p6m7g8.com) c: 703.336.9354
Consultant  - P6M7G8 Inc.http://p6m7g8.net
Senior Sys Admin- RideCharge, Inc.   http://ridecharge.com
Contractor  - PositiveEnergyUSA  http://positiveenergyusa.com
ASF Member  - Apache Software Foundation http://apache.org
FreeBSD Committer   - FreeBSD Foundation http://freebsd.org

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

2008-11-26 Thread Philip M. Gollucci 

Philip M. Gollucci wrote:

Issac Goldstand wrote:

http://people.apache.org/~issac/libapreq-1.34-RC4.tar.gz
Unit tests blow up spectacularly on solaris 2.10 but I don't think we 
support that and is related to Request.so failing to load.


It does compile.

I'll get a freebsd test for some sanity in the nearish future here.

I wouldn't worry about the solaris blow ups (1.33 doesn't work either)



Nothing liked getting pissed off to get things to work.
(I believe the only difference I did was -httpd vs -apxs)

All tests successful.
Files=4, Tests=25,  3 wallclock secs ( 1.22 cusr +  0.17 csys =  1.39 CPU)

Solaris 2.10
apache 1.3.41
mod_perl 1.30
perl 5.8.8

so thats a +1

Neither of Steve's changes are to apreq itself so they don't block the 
release.


+1: stevenhay, pgollucci
+0:
-0:
-1:

ISSAC did you vote ? if you do we get the required votes.

If do the release, make sure you send the e-mails from an @apache.org 
e-mail.


--

Philip M. Gollucci ([EMAIL PROTECTED]) c: 703.336.9354
Consultant - P6M7G8 Inc.  http://p6m7g8.net
Senior System Admin - RideCharge, Inc.  http://ridecharge.com
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC4

2008-11-21 Thread Philip M. Gollucci 

Steve Hay wrote:

Issac Goldstand wrote:

The apreq developers are planning a maintenance release of
libapreq1.  This version primarily addresses an issue noted
with FireFox 2.0 truncating file uploads in SSL mode.

Additionally, the memory allocation algorithm for multipart
requests has been improved.

Please give the tarball at

http://people.apache.org/~issac/libapreq-1.34-RC4.tar.gz

a try and report comments/problems/etc. to the apreq-dev list
at apreq-dev@httpd.apache.org

not to speak for issac, but looks like we're gonna need -RC5 for 1.x.

Issac, I should be able to get a test on FreeBSD today before you roll 
-RC5.  I have lots of faith -RC5 will be the last one.



--

Philip M. Gollucci ([EMAIL PROTECTED]) c: 703.336.9354
Consultant - P6M7G8 Inc.  http://p6m7g8.net
Senior System Admin - RideCharge, Inc.  http://ridecharge.com
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC3

2007-08-08 Thread Fred Moyer 

Issac Goldstand wrote:

We're still waiting on a couple of PMC votes to roll.  If anyone's got
time to make test and vote on this, it'd be great.

  Issac


I remember testing this and giving a +1, and seeing another +1 from 
Randy Kobes, but I can't seem to track down those emails in the archive.


http://marc.info/?l=apache-httpd-devm=118245721026747w=2

There looks like some activity rolling the 2.09 release also, so I 
thought I would drop a friendly ping here to see if there's anything 
that needs to be done to roll this one also.

Re: [RELEASE CANDIDATE] libapreq 1.34-RC3

2007-06-21 Thread Issac Goldstand 
We're still waiting on a couple of PMC votes to roll.  If anyone's got
time to make test and vote on this, it'd be great.

  Issac

Issac Goldstand wrote:
 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.

 Additionally, the memory allocation algorithm for multipart
 requests has been improved.

 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC3.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list
 at [EMAIL PROTECTED]

 Thanks,
   Issac

Re: [RELEASE CANDIDATE] libapreq 1.34-RC3

2007-06-05 Thread Randy Kobes 

On Mon, 4 Jun 2007, Fred Moyer wrote:


Issac Goldstand wrote:

Please give the tarball at

http://people.apache.org/~issac/libapreq-1.34-RC3.tar.gz

a try and report comments/problems/etc. to the apreq-dev list
at [EMAIL PROTECTED]


All tests OK on Fedora Core 5, perl 5.8.8, apache 1.3.37, mod_perl 1.30.

+1


+1

All tests OK on Win32 (XP) - perl-5.8.8, apache-1.3.34 and
mod_perl-1.29.

--
best regards,
Randy

Re: [RELEASE CANDIDATE] libapreq 1.34-RC3

2007-06-04 Thread Fred Moyer 

Issac Goldstand wrote:
 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC3.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list
 at [EMAIL PROTECTED]

All tests OK on Fedora Core 5, perl 5.8.8, apache 1.3.37, mod_perl 1.30.

+1

Re: No quadratic allocators (was Re: [RELEASE CANDIDATE] libapreq 1.34-RC2)

2007-05-30 Thread Issac Goldstand 
After going too long without any tuits, I've gotten around to properly
testing this.  Looks ok, although I didn't really do anything
in-depth.   - I'm going to commit and roll another RC.

  Issac

Joe Schaefer wrote:
 Joe Schaefer [EMAIL PROTECTED] writes:

   
 Issac Goldstand [EMAIL PROTECTED] writes:

 
 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.

 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC2.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list
 at [EMAIL PROTECTED]
   
 +1, tested on Debian stable i386.
 

 Having looked over some recent literature on memory allocation
 attacks, I'm changing my vote to -1.  We need to fix the 
 crappy quadratic allocator in multipart_buffer_read_body.

 Here's a first stab at it- completely untested (I didn't even
 bother trying to compile it).  The strategy here though is to
 allocate (more than) twice the amount last allocated, so the
 total amount allocated will sum (as a geometric series) to
 no more than 2 times the final allocation, which is O(n).

 The problem with the current code is that the total amount
 allocated is O(n^2), where n is basically the number of packets
 received. This is entirely unsafe nowadays, so we should not bless
 a new release which contains such code.

 Index: c/apache_multipart_buffer.c
 ===
 --- c/apache_multipart_buffer.c   (revision 531273)
 +++ c/apache_multipart_buffer.c   (working copy)
 @@ -273,17 +273,25 @@
  return len;
  }
  
 -/*
 -  XXX: this is horrible memory-usage-wise, but we only expect
 -  to do this on small pieces of form data.
 -*/
  char *multipart_buffer_read_body(multipart_buffer *self)
  {
  char buf[FILLUNIT], *out = ;
 +size_t nalloc = 1, cur_len = 0;
  
 -while(multipart_buffer_read(self, buf, sizeof(buf)))
 - out = ap_pstrcat(self-r-pool, out, buf, NULL);
 +while(multipart_buffer_read(self, buf, sizeof(buf))) {
 +size_t len = strlen(buf);
 +if (len + cur_len + 1  nalloc) {
 +char *tmp;
 +nalloc = 2 * (nalloc + len + 1);
 +tmp = ap_palloc(self-r-pool, nalloc);
 +strcpy(tmp, out);
 +out = tmp;
 +}
  
 +strcpy(out + cur_len, buf);
 +cur_len += len;
 +}
 +
  #ifdef DEBUG
  ap_log_rerror(MPB_ERROR, multipart_buffer_read_body: '%s', out);
  #endif

No quadratic allocators (was Re: [RELEASE CANDIDATE] libapreq 1.34-RC2)

2007-05-07 Thread Joe Schaefer 
Joe Schaefer [EMAIL PROTECTED] writes:

 Issac Goldstand [EMAIL PROTECTED] writes:

 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.

 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC2.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list
 at [EMAIL PROTECTED]

 +1, tested on Debian stable i386.

Having looked over some recent literature on memory allocation
attacks, I'm changing my vote to -1.  We need to fix the 
crappy quadratic allocator in multipart_buffer_read_body.

Here's a first stab at it- completely untested (I didn't even
bother trying to compile it).  The strategy here though is to
allocate (more than) twice the amount last allocated, so the
total amount allocated will sum (as a geometric series) to
no more than 2 times the final allocation, which is O(n).

The problem with the current code is that the total amount
allocated is O(n^2), where n is basically the number of packets
received. This is entirely unsafe nowadays, so we should not bless
a new release which contains such code.

Index: c/apache_multipart_buffer.c
===
--- c/apache_multipart_buffer.c (revision 531273)
+++ c/apache_multipart_buffer.c (working copy)
@@ -273,17 +273,25 @@
 return len;
 }
 
-/*
-  XXX: this is horrible memory-usage-wise, but we only expect
-  to do this on small pieces of form data.
-*/
 char *multipart_buffer_read_body(multipart_buffer *self)
 {
 char buf[FILLUNIT], *out = ;
+size_t nalloc = 1, cur_len = 0;
 
-while(multipart_buffer_read(self, buf, sizeof(buf)))
-   out = ap_pstrcat(self-r-pool, out, buf, NULL);
+while(multipart_buffer_read(self, buf, sizeof(buf))) {
+size_t len = strlen(buf);
+if (len + cur_len + 1  nalloc) {
+char *tmp;
+nalloc = 2 * (nalloc + len + 1);
+tmp = ap_palloc(self-r-pool, nalloc);
+strcpy(tmp, out);
+out = tmp;
+}
 
+strcpy(out + cur_len, buf);
+cur_len += len;
+}
+
 #ifdef DEBUG
 ap_log_rerror(MPB_ERROR, multipart_buffer_read_body: '%s', out);
 #endif


-- 
Joe Schaefer

Re: [RELEASE CANDIDATE] libapreq 1.34-RC2

2007-04-30 Thread Randy Kobes 

On Mon, 30 Apr 2007, Joe Schaefer wrote:


Joe Schaefer [EMAIL PROTECTED] writes:


Issac Goldstand [EMAIL PROTECTED] writes:


The apreq developers are planning a maintenance release of
libapreq1.  This version primarily addresses an issue noted
with FireFox 2.0 truncating file uploads in SSL mode.

Please give the tarball at

http://people.apache.org/~issac/libapreq-1.34-RC2.tar.gz

a try and report comments/problems/etc. to the apreq-dev list
at [EMAIL PROTECTED]


+1, tested on Debian stable i386.


We need a few votes from pmc members before Issac can release.


I'm away for the next several days, but will give it a try
on Win32 when I return.

--
best regards,
Randy

Re: [RELEASE CANDIDATE] libapreq 1.34-RC2

2007-04-28 Thread Joe Schaefer 
Issac Goldstand [EMAIL PROTECTED] writes:

 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.

 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC2.tar.gz

 a try and report comments/problems/etc. to the apreq-dev list
 at [EMAIL PROTECTED]

+1, tested on Debian stable i386.

-- 
Joe Schaefer

Re: [RELEASE CANDIDATE] libapreq 1.34-RC2

2007-04-27 Thread Steve Hay 

Issac Goldstand wrote:

The apreq developers are planning a maintenance release of
libapreq1.  This version primarily addresses an issue noted
with FireFox 2.0 truncating file uploads in SSL mode.

Please give the tarball at

http://people.apache.org/~issac/libapreq-1.34-RC2.tar.gz

a try and report comments/problems/etc. to the apreq-dev list
at [EMAIL PROTECTED]


All still OK on WinXP/VC6 with perl-5.8.8, apache-1.3.34, mod_perl-1.29.

--

Re: [RELEASE CANDIDATE] libapreq 1.34-RC1

2007-04-26 Thread Steve Hay 

Issac Goldstand wrote:

Please give the tarball at

http://people.apache.org/~issac/libapreq-1.34-RC1.tar.gz

a try and report comments/problems/etc. to the apreq-dev list
at [EMAIL PROTECTED] 


All tests OK on WinXP (VC6) with perl-5.8.8, apache-1.3.34 and 
mod_perl-1.29.


--

Re: [RELEASE CANDIDATE] libapreq 1.34-RC1

2007-04-26 Thread Joe Schaefer 
Joe Schaefer [EMAIL PROTECTED] writes:

 Issac Goldstand [EMAIL PROTECTED] writes:

 The apreq developers are planning a maintenance release of
 libapreq1.  This version primarily addresses an issue noted
 with FireFox 2.0 truncating file uploads in SSL mode.

 Please give the tarball at

 http://people.apache.org/~issac/libapreq-1.34-RC1.tar.gz

 +1, tested on Debian stable i386.

Oops- the NOTICE file is missing from the MANIFEST and tarball.

-- 
Joe Schaefer