Re: Christopher Williamson: URGENT: Bug/compatability issue in Apache

[Jim Jagielski <ji...@jaguNET.com>]

Hrm.... I would be prone to either removing this patch, or at least
redoing it. As some of you may recall, I mentioned this area a little
bit ago regarding our use and expectation of ANSI sscanf() here as
well.

However, isn't what we are doing correct? It *is* an invalid protocol
statement... I'd be willing to wrap this in a new directive, so we
have both.

Rodent of Unusual Size wrote:
> 
> Not acked (by me, at least).  I can feel their pain..
> 
> -------- Original Message --------
> Subject: Christopher Williamson: URGENT: Bug/compatability issue in Apache 1.3.26
> Date: Wed, 03 Jul 2002 12:49:26 -0600
> From: Christopher Williamson <ch...@dq.com>
> To: martin@apache.org, support@apache.org, bugs@apache.org
> 
> I sent this a week ago directly to Martin and never got a response, can anyone
> else please help?  If not, I will open a bug in BugZilla about it.
> 
> ------- Forwarded Message
> 
> Forwarded: Tue, 25 Jun 2002 22:39:36 -0600
> Forwarded: "jon,ben,roden "
> Subject: URGENT: Bug/compatability issue in Apache 1.3.26
> To: martin@apache.org
> X-URL: http://www.dq.com/
> Date: Tue, 25 Jun 2002 17:52:59 -0600
> From: Christopher Williamson <chrisw>
> 
> I am writing in hopes that you can help us with an urgent problem we are 
> having with a bug fix you put into Apache 1.3.26  I have spent two days
> tracking this down and am certain the issue is with your fix.
> 
> Due to an error in OUR online game code, we were incorrectly requesting
> files using 'HTTP-1.0' instead of 'HTTP/1.0' on the GET request line.  As you
> know, this is wrong.  However, suprisingly, this worked just fine for several
> years with both Apache and other Web servers, presumably because the server 
> just ignored it or defaulted to HTTP/1.0.  If you want to test, try our
> down-level Apache server at lobby.dqsoft.com with GET /index.html HTTP-1.0
> I am sure I am not the only one with this problem, as there are several 
> socket tutorials and such that incorrectly say 'HTTP-1.0'.
> 
> However, as of 1.3.26 this GET request now results in a 400 Bad Request
> and as a result, all of our current online games cannot retrieve the config
> files causing numerous problems.
> 
> You would correctly argue that we should fix this on our end, which we already
> have done.  However, the 'we are screwed' part is that the 50,000 some odd 
> folks out there with our online games can no longer get news, updates, alerts,
> etc. from our Web site using Apache.  To make matters worse, we cant simply 
> redirect the files since the requests fail immediately, the only solution for
> us is to switch to a M$ server or a down-level Apache build with the security
> vulnerability for our entire domain!
> 
> In the short-term, I am convincing our Web hosts to move us to a down-level
> server.  However, I would like to ask if you would please strongly consider
> putting a 'fix' into the next Apache release to handle this incorrect format
> in a backward-compatible fashion.  When the next update occurs, we can ask
> our host to then upgrade us knowing that our old games will still work
> without compromising our site's security or resorting to a competing server.
> 
> I thank you for your time and support of Apache.  If you need help or 
> clarification, please dont hesitate to write back.  Even just a quick 
> 'we are looking into it' would help me rest easier.
> 
> Christopher Williamson
> President, DreamQuest Software (http://dq.com/)
> "Championship Spades is the first cross-platform wireless game!"
> 
> ------- End of Forwarded Message
> 


-- 
===========================================================================
   Jim Jagielski   [|]   jim@jaguNET.com   [|]   http://www.jaguNET.com/
      "A society that will trade a little liberty for a little order
             will lose both and deserve neither" - T.Jefferson