cvs commit: apache-1.3 STATUS

[brian]

brian       98/05/03 20:03:05

  Modified:    .        STATUS
  Log:
  Final bit of reprioritizations for now.  Note that showstoppers are at the
  top!  People should either fix them, or decide that the showstoppers aren't
  necessary.
  
  Revision  Changes    Path
  1.361     +52 -57    apache-1.3/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/STATUS,v
  retrieving revision 1.360
  retrieving revision 1.361
  diff -u -r1.360 -r1.361
  --- STATUS    1998/05/04 02:58:02     1.360
  +++ STATUS    1998/05/04 03:03:04     1.361
  @@ -9,8 +9,59 @@
   
       2.0  : In pre-alpha development, see apache-2.0 repository
   
  -Showstoppers:
  +FINAL RELEASE SHOWSTOPPERS:
  +
  +    * proxy security fixes from 1.2.5 need to be brought forward
  +       Jim: What are these?
  +
  +    * Someone other than Dean has to do a security/correctness review on
  +      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  +      do lots of fun pointer manipulations and such and possibly have 
overflow
  +      errors.  The respective flush_funcs also need to be exercised.
  +       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  +         did to make thread-safe) and they look fine.
  +
  +    * The DoS issue about symlinks to /dev/zero is still present.
  +      A device checker patch had been sent to the list a while ago.
  +      Msg-Id: ?
  +       Jim: Couldn't we just use stat() and check the file-type?
  +            stats are expensive though...
  +
  +    * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
  +      See: <[EMAIL PROTECTED]>
  +
  +WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
  +
  +    * CGIs
  +        - hangs on multiple CGI execution?  PR#1607,1129
  +         Marc can't repeat...
  +
  +    * SECURITY: PR#1203 still needs to be dealt with for WIN32
  +
  +    * SECURITY: check if the magic con/aux/nul/etc names do anything
  +     really bad
  +
  +    * SECURITY: numerous uses of strcpy and strcat have potential
  +     for buffer overflow, someone should rewrite or verify
  +     they're safe
  +
  +    * SECURITY: os_ abstract is_only_below() in mod_include.c
   
  +    * signal type handling
  +     - how to rotate logs from command line?
  +
  +    * bad use of chdir in some places; it isn't thread-specific
  +
  +Documentation that needs writing:
  +
  +    * Documentation for:
  +      1) htdocs/manual/sourcereorg.html and other files should mention 
  +         new mod_so capabilities.
  +      2) windows.html should be cleaned up.
  +
  +    * Need a document explaining mod_rewrite/"UseCanonicalName off" based
  +     virtualhosting.  (If it exists already I can't find it easily.)
  +
   Available Patches:
   
       * Ed Korthof's patch to fix protocol issues surrounding 400, 408, and
  @@ -48,38 +99,6 @@
       * Ken's IndexFormat enhancement to mod_autoindex to allow
         CustomLog-like tailoring of directory listing formats
   
  -FINAL RELEASE SHOWSTOPPERS:
  -
  -    * proxy security fixes from 1.2.5 need to be brought forward
  -       Jim: What are these?
  -
  -    * Someone other than Dean has to do a security/correctness review on
  -      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  -      do lots of fun pointer manipulations and such and possibly have 
overflow
  -      errors.  The respective flush_funcs also need to be exercised.
  -       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  -         did to make thread-safe) and they look fine.
  -
  -    * The DoS issue about symlinks to /dev/zero is still present.
  -      A device checker patch had been sent to the list a while ago.
  -      Msg-Id: ?
  -       Jim: Couldn't we just use stat() and check the file-type?
  -            stats are expensive though...
  -
  -    * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
  -      See: <[EMAIL PROTECTED]>
  -
  -
  -Documentation that needs writing:
  -
  -    * Documentation for:
  -      1) htdocs/manual/sourcereorg.html and other files should mention 
  -         new mod_so capabilities.
  -      2) windows.html should be cleaned up.
  -
  -    * Need a document explaining mod_rewrite/"UseCanonicalName off" based
  -     virtualhosting.  (If it exists already I can't find it easily.)
  -
   Needs patch:
   
       * uri issues
  @@ -126,8 +145,6 @@
            apdefaults.h   :
            apdefines.h    :
   
  -Closed issues:
  -
   Open issues:
       
       * Paul would like to see a 'gdbm' option because he uses
  @@ -326,28 +343,6 @@
       * mod_include --> exec cgi, exec cmd, etc. don't work right.
         Looks like a code path that isn't run anywhere else that has
         something not quite right...  A PR or two on it.
  -
  -WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
  -
  -    * CGIs
  -        - hangs on multiple CGI execution?  PR#1607,1129
  -         Marc can't repeat...
  -
  -    * SECURITY: PR#1203 still needs to be dealt with for WIN32
  -
  -    * SECURITY: check if the magic con/aux/nul/etc names do anything
  -     really bad
  -
  -    * SECURITY: numerous uses of strcpy and strcat have potential
  -     for buffer overflow, someone should rewrite or verify
  -     they're safe
  -
  -    * SECURITY: os_ abstract is_only_below() in mod_include.c
  -
  -    * signal type handling
  -     - how to rotate logs from command line?
  -
  -    * bad use of chdir in some places; it isn't thread-specific
   
   Delayed until after 1.3.0, unless someone happens to get to it: