From: André Malo Date: Thu, 31 Jul 2003 20:23:21 +0000 (+0000) Subject: reject overlong credentials from command line X-Git-Tag: 2.0.48~160 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff73a722b8178c4d63357c768d5eedb5096eb6ee;p=thirdparty%2Fapache%2Fhttpd.git reject overlong credentials from command line Reviewed by: Justin Erenkrantz, Jeff Trawick git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@100880 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 2c0f1f3251b..4185ee714e7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,5 +1,8 @@ Changes with Apache 2.0.48 + *) ab: Overlong credentials given via command line no longer clobber + the buffer. [André Malo] + *) mod_deflate: Don't attempt to hold all of the response until we're done. [Justin Erenkrantz] diff --git a/STATUS b/STATUS index 4059f0b58cc..d0409d0c188 100644 --- a/STATUS +++ b/STATUS @@ -1,5 +1,5 @@ APACHE 2.0 STATUS: -*-text-*- -Last modified at [$Date: 2003/07/30 20:33:55 $] +Last modified at [$Date: 2003/07/31 20:23:20 $] Release: @@ -266,10 +266,6 @@ PATCHES TO PORT FROM 2.1 nd replies: of course ..., 1.168 does. +1: nd, jerenkrantz, trawick - * ab: reject overlong credentials from command line (2.0 + 1.3) - support/ab.c: r1.127 - +1: nd, jerenkrantz, trawick - * ab: Handle conditions where connect() on non-blocking socket doesn't complete immediately (i.e., restore functionality when benchmarking non-local targets). This doesn't resolve some diff --git a/support/ab.c b/support/ab.c index fea3da3569a..0210b357397 100644 --- a/support/ab.c +++ b/support/ab.c @@ -1777,14 +1777,14 @@ static void test(void) static void copyright(void) { if (!use_html) { - printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1.121.2.2 $> apache-2.0"); + printf("This is ApacheBench, Version %s\n", AP_AB_BASEREVISION " <$Revision: 1.121.2.3 $> apache-2.0"); printf("Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/\n"); printf("Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/\n"); printf("\n"); } else { printf("

\n"); - printf(" This is ApacheBench, Version %s <%s> apache-2.0
\n", AP_AB_BASEREVISION, "$Revision: 1.121.2.2 $"); + printf(" This is ApacheBench, Version %s <%s> apache-2.0
\n", AP_AB_BASEREVISION, "$Revision: 1.121.2.3 $"); printf(" Copyright (c) 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
\n"); printf(" Copyright (c) 1998-2002 The Apache Software Foundation, http://www.apache.org/
\n"); printf("

\n

\n"); @@ -2070,6 +2070,9 @@ int main(int argc, const char * const argv[]) */ while (apr_isspace(*optarg)) optarg++; + if (apr_base64_encode_len(strlen(optarg)) > sizeof(tmp)) { + err("Authentication credentials too long\n"); + } l = apr_base64_encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0'; @@ -2082,6 +2085,9 @@ int main(int argc, const char * const argv[]) */ while (apr_isspace(*optarg)) optarg++; + if (apr_base64_encode_len(strlen(optarg)) > sizeof(tmp)) { + err("Proxy credentials too long\n"); + } l = apr_base64_encode(tmp, optarg, strlen(optarg)); tmp[l] = '\0';