My criticism has to do with your implementation. There's no point in fixing exploitable code with a differently exploitable implementation. Just buffer things in an internal array and merge the string once at the end of the loop, and *not* as you iterate over the elements of the range header.
>________________________________ >From: Jim Jagielski <j...@jagunet.com> >To: dev@httpd.apache.org >Sent: Thursday, August 25, 2011 5:10 PM >Subject: Re: svn commit: r1161661 - >/httpd/httpd/trunk/modules/http/byterange_filter.c > > >On Aug 25, 2011, at 5:02 PM, Joe Schaefer wrote: > >> +1, also has the advantage of not being a quadratic >> allocator the way Jim's usage of apr_pstrcat is. >> > >So what, exactly, will ap_set_byterange() do…? It was >my impression that it created our r->range entry... > >
