but the problem that you're talking about doesn't exist in the patched version of ParseAuth
I agree, that's why I started by saying:
Argh, all these answers would just be wrong if the wrong thing had not already been done within AOLserver. As the ChangeLog states,
Ns_HtuuDecode does not do an adequate job of preventing data overflow.
The fix isn't in serv.c, the fix is in htuu.c.
If you make this fix in serv.c, you will still leave NsTclHTUUDecodeCmd (ns_uudecode) broken, which would lead to the same buffer overflow. Oh. Except that someone already put the kluge (overmalloc the buffer) in there
The point being this is still just the wrong thing to do. I don't know when the next module is going to be written to call Ns_HtuuDecode, but that module is going to have to be written correctly, to a problematical interface, or risk crashing AOLserver and/or subjecting it to a security hole. I would prefer an architecture in which incorrectly written modules may not work correctly but are otherwise benign.
