You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apreq-dev@httpd.apache.org by Marc Englund <ma...@itmill.com> on 2001/02/27 10:35:34 UTC

Bugs & patch, libapreq-0.31

Hi!

I think I have stumbeled upon quite serious bugs in libapreq-
0.31 - these might have been addressed already, but since I
didn't find a archive of this list (I'm new), I decided to 
mail anyway.

The thing I noticed first was that when using a multipart form,
information could pass over between sessions - the buffers
where not cleared! I noticed this beacause I use a single apache
process while developing, but we were able to recreate the bug
in our 'production' environment. If one submits a quite long
text and then a shorter one, the second submit will include the
end of the first one.

While trying to fix this quickly I found other problems: 

- libapreq segfaulted if the submitted text was exactly a
  'multipart-buffer' long (5120)

- a submitted text could never be more than two multipart-buffers 
  long (2*5120)

I have included a patch to libapreq-0.31, but it's just a quick 
fix (although it seems to work).

Comments?

[ marc englund | marc@itmill.com | +358 40 8408483 | 97895957 ]

Re: Bugs & patch, libapreq-0.31

Posted by Joe Schaefer <jo...@sunstarsys.com>.

Marc Englund <ma...@itmill.com> writes:

> - libapreq segfaulted if the submitted text was exactly a
>   'multipart-buffer' long (5120)
> 
> - a submitted text could never be more than two multipart-buffers 
>   long (2*5120)
> 
> I have included a patch to libapreq-0.31, but it's just a quick 
> fix (although it seems to work).

[...]

> 
> diff -Naur libapreq-0.31-orig/c/apache_request.c libapreq-0.31/c/apache_request.c
> --- libapreq-0.31-orig/c/apache_request.c	Sat Jul  3 04:00:17 1999
> +++ libapreq-0.31/c/apache_request.c	Wed Jan 31 14:06:47 2001

I think you're patching a fairly old build of libapreq:

[...]

>  
> @@ -295,7 +313,7 @@
>  	retval = retval ?
>  	    my_join(self->r->pool, retval, old_len, data, blen) :
>  	    ap_pstrndup(self->r->pool, data, blen);
> -	old_len = blen;
> +	old_len += blen;
        ^^^^^^^^^^^^^^^

This bug I definitely recognize, since I think I introduced it in the 
first patch I posted to the modperl list.  It was later fixed in a 
followup around September or so.

Anyway, the multipart buffer code is substantially better now (and 
probably will change again soon), so it would be quite helpful if you
could test the latest version and see if these problems still crop up.
I think you can fetch a copy at

  http://www.apache.org/~jimw/httpd-apreq-20010202.tar.gz

Thanks alot.
-- 
Joe Schaefer