Forum OpenACS Q&A: Response to Anyone using AOLserver < 3.4 with nsperm module?
15: Response to Anyone using AOLserver < 3.4 with nsperm module? (response to 1)
Posted by Jerry Asher on 06/23/01 09:15 PM
but the problem that you're talking about doesn't exist in the patched version of ParseAuthI agree, that's why I started by saying:
Argh, all these answers would just be wrong if the wrong thing had not already been done within AOLserver. As the ChangeLog states, Ns_HtuuDecode does not do an adequate job of preventing data overflow. The fix isn't in serv.c, the fix is in htuu.c. If you make this fix in serv.c, you will still leave NsTclHTUUDecodeCmd (ns_uudecode) broken, which would lead to the same buffer overflow. Oh. Except that someone already put the kluge (overmalloc the buffer) in thereThe point being this is still just the wrong thing to do. I don't know when the next module is going to be written to call Ns_HtuuDecode, but that module is going to have to be written correctly, to a problematical interface, or risk crashing AOLserver and/or subjecting it to a security hole. I would prefer an architecture in which incorrectly written modules may not work correctly but are otherwise benign.