On Sun, Jun 23, 2002 at 05:09:05PM -0700, Roy Fielding wrote: > I have re-uploaded a patch to fix the problem on all versions of > httpd 1.2.0 through 1.3.22. This time I added the four lines that > check for a negative return value from atol, even though there has > been no evidence of any such error in the standard C libraries. > > To the person who deleted my prior patch: You just wasted > my Sunday afternoon. Even if the patch didn't, by some stretch of > your imagination, suffice for the broken atol case, you prevented > people from protecting themselves against a published exploit script > that doesn't even use content-length as an attack. Do not remove > my patch unless you replace it with a better fix that is known to > apply for that version and compile on all platforms. > > -1 to any additions of ap_strtol to prior versions of Apache. > That introduced more problems than it fixed. There is no reason > to work around the operating system when a simple fix to our own > code is necessary and sufficient to solve the problem.
I don't remember seeing any +1's for this patch on the list. Please remove this patch until one can be made that addresses the same issues with the proxy code (which also uses get_chunk_size()). -aaron
