Forum OpenACS Q&A: Response to Anyone using AOLserver < 3.4 with nsperm module?

Well ok.  I agree that the interface for Ns_HtuuDecode is not the best, but the problem that you're talking about doesn't exist in the patched version of ParseAuth.  It's always going to allocate enough bytes for the decoding.  I also think you're correct in stating that the Ns_HtuuDecode routine was meant to be called in a loop that processed the input buffer a chunk at a time.  This code was probably cut and pasted from something else, and the prospect of a buffer overflow was overlooked.

As you mentioned, the malloc logic should be modified to limit the size of a malloc,so that some wiley hax0r doesn't crash your server by sending you a large authentication header.

The ParseAuth and Ns_HtuuDecode routines could definitely use a little work.