brian 98/05/03 20:03:05
Modified: . STATUS
Log:
Final bit of reprioritizations for now. Note that showstoppers are at the
top! People should either fix them, or decide that the showstoppers aren't
necessary.
Revision Changes Path
1.361 +52 -57 apache-1.3/STATUS
Index: STATUS
===================================================================
RCS file: /export/home/cvs/apache-1.3/STATUS,v
retrieving revision 1.360
retrieving revision 1.361
diff -u -r1.360 -r1.361
--- STATUS 1998/05/04 02:58:02 1.360
+++ STATUS 1998/05/04 03:03:04 1.361
@@ -9,8 +9,59 @@
2.0 : In pre-alpha development, see apache-2.0 repository
-Showstoppers:
+FINAL RELEASE SHOWSTOPPERS:
+
+ * proxy security fixes from 1.2.5 need to be brought forward
+ Jim: What are these?
+
+ * Someone other than Dean has to do a security/correctness review on
+ psprintf(), bprintf(), and ap_snprintf(). In particular these routines
+ do lots of fun pointer manipulations and such and possibly have overflow
+ errors. The respective flush_funcs also need to be exercised.
+ o Jim's looked over the ap_snprintf() stuff (the changes that Dean
+ did to make thread-safe) and they look fine.
+
+ * The DoS issue about symlinks to /dev/zero is still present.
+ A device checker patch had been sent to the list a while ago.
+ Msg-Id: ?
+ Jim: Couldn't we just use stat() and check the file-type?
+ stats are expensive though...
+
+ * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
+ See: <Pine.LNX.3.96dg4.980427034301.16648P-100000@twinlark.arctic.org>
+
+WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
+
+ * CGIs
+ - hangs on multiple CGI execution? PR#1607,1129
+ Marc can't repeat...
+
+ * SECURITY: PR#1203 still needs to be dealt with for WIN32
+
+ * SECURITY: check if the magic con/aux/nul/etc names do anything
+ really bad
+
+ * SECURITY: numerous uses of strcpy and strcat have potential
+ for buffer overflow, someone should rewrite or verify
+ they're safe
+
+ * SECURITY: os_ abstract is_only_below() in mod_include.c
+ * signal type handling
+ - how to rotate logs from command line?
+
+ * bad use of chdir in some places; it isn't thread-specific
+
+Documentation that needs writing:
+
+ * Documentation for:
+ 1) htdocs/manual/sourcereorg.html and other files should mention
+ new mod_so capabilities.
+ 2) windows.html should be cleaned up.
+
+ * Need a document explaining mod_rewrite/"UseCanonicalName off" based
+ virtualhosting. (If it exists already I can't find it easily.)
+
Available Patches:
* Ed Korthof's patch to fix protocol issues surrounding 400, 408, and
@@ -48,38 +99,6 @@
* Ken's IndexFormat enhancement to mod_autoindex to allow
CustomLog-like tailoring of directory listing formats
-FINAL RELEASE SHOWSTOPPERS:
-
- * proxy security fixes from 1.2.5 need to be brought forward
- Jim: What are these?
-
- * Someone other than Dean has to do a security/correctness review on
- psprintf(), bprintf(), and ap_snprintf(). In particular these routines
- do lots of fun pointer manipulations and such and possibly have overflow
- errors. The respective flush_funcs also need to be exercised.
- o Jim's looked over the ap_snprintf() stuff (the changes that Dean
- did to make thread-safe) and they look fine.
-
- * The DoS issue about symlinks to /dev/zero is still present.
- A device checker patch had been sent to the list a while ago.
- Msg-Id: ?
- Jim: Couldn't we just use stat() and check the file-type?
- stats are expensive though...
-
- * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
- See: <Pine.LNX.3.96dg4.980427034301.16648P-100000@twinlark.arctic.org>
-
-
-Documentation that needs writing:
-
- * Documentation for:
- 1) htdocs/manual/sourcereorg.html and other files should mention
- new mod_so capabilities.
- 2) windows.html should be cleaned up.
-
- * Need a document explaining mod_rewrite/"UseCanonicalName off" based
- virtualhosting. (If it exists already I can't find it easily.)
-
Needs patch:
* uri issues
@@ -126,8 +145,6 @@
apdefaults.h :
apdefines.h :
-Closed issues:
-
Open issues:
* Paul would like to see a 'gdbm' option because he uses
@@ -326,28 +343,6 @@
* mod_include --> exec cgi, exec cmd, etc. don't work right.
Looks like a code path that isn't run anywhere else that has
something not quite right... A PR or two on it.
-
-WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
-
- * CGIs
- - hangs on multiple CGI execution? PR#1607,1129
- Marc can't repeat...
-
- * SECURITY: PR#1203 still needs to be dealt with for WIN32
-
- * SECURITY: check if the magic con/aux/nul/etc names do anything
- really bad
-
- * SECURITY: numerous uses of strcpy and strcat have potential
- for buffer overflow, someone should rewrite or verify
- they're safe
-
- * SECURITY: os_ abstract is_only_below() in mod_include.c
-
- * signal type handling
- - how to rotate logs from command line?
-
- * bad use of chdir in some places; it isn't thread-specific
Delayed until after 1.3.0, unless someone happens to get to it:
Modified: . STATUS
Log:
Final bit of reprioritizations for now. Note that showstoppers are at the
top! People should either fix them, or decide that the showstoppers aren't
necessary.
Revision Changes Path
1.361 +52 -57 apache-1.3/STATUS
Index: STATUS
===================================================================
RCS file: /export/home/cvs/apache-1.3/STATUS,v
retrieving revision 1.360
retrieving revision 1.361
diff -u -r1.360 -r1.361
--- STATUS 1998/05/04 02:58:02 1.360
+++ STATUS 1998/05/04 03:03:04 1.361
@@ -9,8 +9,59 @@
2.0 : In pre-alpha development, see apache-2.0 repository
-Showstoppers:
+FINAL RELEASE SHOWSTOPPERS:
+
+ * proxy security fixes from 1.2.5 need to be brought forward
+ Jim: What are these?
+
+ * Someone other than Dean has to do a security/correctness review on
+ psprintf(), bprintf(), and ap_snprintf(). In particular these routines
+ do lots of fun pointer manipulations and such and possibly have overflow
+ errors. The respective flush_funcs also need to be exercised.
+ o Jim's looked over the ap_snprintf() stuff (the changes that Dean
+ did to make thread-safe) and they look fine.
+
+ * The DoS issue about symlinks to /dev/zero is still present.
+ A device checker patch had been sent to the list a while ago.
+ Msg-Id: ?
+ Jim: Couldn't we just use stat() and check the file-type?
+ stats are expensive though...
+
+ * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
+ See: <Pine.LNX.3.96dg4.980427034301.16648P-100000@twinlark.arctic.org>
+
+WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
+
+ * CGIs
+ - hangs on multiple CGI execution? PR#1607,1129
+ Marc can't repeat...
+
+ * SECURITY: PR#1203 still needs to be dealt with for WIN32
+
+ * SECURITY: check if the magic con/aux/nul/etc names do anything
+ really bad
+
+ * SECURITY: numerous uses of strcpy and strcat have potential
+ for buffer overflow, someone should rewrite or verify
+ they're safe
+
+ * SECURITY: os_ abstract is_only_below() in mod_include.c
+ * signal type handling
+ - how to rotate logs from command line?
+
+ * bad use of chdir in some places; it isn't thread-specific
+
+Documentation that needs writing:
+
+ * Documentation for:
+ 1) htdocs/manual/sourcereorg.html and other files should mention
+ new mod_so capabilities.
+ 2) windows.html should be cleaned up.
+
+ * Need a document explaining mod_rewrite/"UseCanonicalName off" based
+ virtualhosting. (If it exists already I can't find it easily.)
+
Available Patches:
* Ed Korthof's patch to fix protocol issues surrounding 400, 408, and
@@ -48,38 +99,6 @@
* Ken's IndexFormat enhancement to mod_autoindex to allow
CustomLog-like tailoring of directory listing formats
-FINAL RELEASE SHOWSTOPPERS:
-
- * proxy security fixes from 1.2.5 need to be brought forward
- Jim: What are these?
-
- * Someone other than Dean has to do a security/correctness review on
- psprintf(), bprintf(), and ap_snprintf(). In particular these routines
- do lots of fun pointer manipulations and such and possibly have overflow
- errors. The respective flush_funcs also need to be exercised.
- o Jim's looked over the ap_snprintf() stuff (the changes that Dean
- did to make thread-safe) and they look fine.
-
- * The DoS issue about symlinks to /dev/zero is still present.
- A device checker patch had been sent to the list a while ago.
- Msg-Id: ?
- Jim: Couldn't we just use stat() and check the file-type?
- stats are expensive though...
-
- * get_path_info bug; ap_get_remote_host should be ap_vformatter instead.
- See: <Pine.LNX.3.96dg4.980427034301.16648P-100000@twinlark.arctic.org>
-
-
-Documentation that needs writing:
-
- * Documentation for:
- 1) htdocs/manual/sourcereorg.html and other files should mention
- new mod_so capabilities.
- 2) windows.html should be cleaned up.
-
- * Need a document explaining mod_rewrite/"UseCanonicalName off" based
- virtualhosting. (If it exists already I can't find it easily.)
-
Needs patch:
* uri issues
@@ -126,8 +145,6 @@
apdefaults.h :
apdefines.h :
-Closed issues:
-
Open issues:
* Paul would like to see a 'gdbm' option because he uses
@@ -326,28 +343,6 @@
* mod_include --> exec cgi, exec cmd, etc. don't work right.
Looks like a code path that isn't run anywhere else that has
something not quite right... A PR or two on it.
-
-WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
-
- * CGIs
- - hangs on multiple CGI execution? PR#1607,1129
- Marc can't repeat...
-
- * SECURITY: PR#1203 still needs to be dealt with for WIN32
-
- * SECURITY: check if the magic con/aux/nul/etc names do anything
- really bad
-
- * SECURITY: numerous uses of strcpy and strcat have potential
- for buffer overflow, someone should rewrite or verify
- they're safe
-
- * SECURITY: os_ abstract is_only_below() in mod_include.c
-
- * signal type handling
- - how to rotate logs from command line?
-
- * bad use of chdir in some places; it isn't thread-specific
Delayed until after 1.3.0, unless someone happens to get to it: