[Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi?
Derek Atkins
warlord at MIT.EDU
Thu May 18 02:53:11 JST 2006
Tadamasa Teranishi <yw3t-trns at asahi-net.or.jp> writes:
> Derek Atkins wrote:
>>
>> In case you care, here's the patch I used, against 2.0.16. This patch
>> also implements a third replacement, {version}, so that I can put the
>> namazu version# into the output without requiring the templates to
>> know what version of namazu is running.
>
> As for Namazu 2.0.X, the function enhancing is scheduled not to be
> done in the future. (Only the bug fix)
Well, sure. I figured adding {version} wasn't really a "feature"
per se -- it was only a couple lines of code and made my life easier.
You're welcome to choose not to accept it into 2.0.x
> However, it is likely to be enhanced in Namazu 2.2.X (It is thought
> that the format changes) to use the one other than "{cgi}" "{doc}".
Okay.
> By the way,
> The buffer is similarly broken when VERSION is 10 characters or
> more though "{version}" is 9 characters.
> It doesn't become 10 characters or more in a usual release version.
> However, the one under development might exceed and gets 10
> characters.
>
> ex) 2.0.17pre1
Yeah.. I kind of assumed that you could control the version strings..
I figured it would be safe for any XX.YY.ZZ. I didn't think about
'preXX' releases or 'rcXX' releases. Personally I dislike that
approach to release engineering.. The time to release a 2.0.17pre1
and then a 2.0.17 is no more significant than the time to release a
2.0.17 and then a 2.0.18, so why release pre-releases?
>> Because another problem was found, it corrects it collectively.
>
> The correction of stability version (stable-2-0) source of CVS has
> corrected and development version (HEAD) sources.
That's fine, but I'm not running against CVS, and you haven't released
a 2.0.17.
Thanks,
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord at MIT.EDU PGP key available
More information about the Namazu-devel-en
mailing list