[Namazu-devel-en] Re: [PATCH] potential buffer overrun in namazu.cgi?

Derek Atkins warlord at MIT.EDU
Thu May 18 02:53:11 JST 2006


Tadamasa Teranishi <yw3t-trns at asahi-net.or.jp> writes:

> Derek Atkins wrote:
>> 
>> In case you care, here's the patch I used, against 2.0.16.  This patch
>> also implements a third replacement, {version}, so that I can put the
>> namazu version# into the output without requiring the templates to
>> know what version of namazu is running.
>
> As for Namazu 2.0.X, the function enhancing is scheduled not to be 
> done in the future. (Only the bug fix)

Well, sure.  I figured adding {version} wasn't really a "feature"
per se -- it was only a couple lines of code and made my life easier.
You're welcome to choose not to accept it into 2.0.x

> However, it is likely to be enhanced in Namazu 2.2.X (It is thought 
> that the format changes) to use the one other than "{cgi}" "{doc}".

Okay.

> By the way,
> The buffer is similarly broken when VERSION is 10 characters or 
> more though "{version}" is 9 characters. 
> It doesn't become 10 characters or more in a usual release version. 
> However, the one under development might exceed and gets 10 
> characters. 
>
>  ex) 2.0.17pre1

Yeah..  I kind of assumed that you could control the version strings..
I figured it would be safe for any XX.YY.ZZ.  I didn't think about
'preXX' releases or 'rcXX' releases.  Personally I dislike that
approach to release engineering..  The time to release a 2.0.17pre1
and then a 2.0.17 is no more significant than the time to release a
2.0.17 and then a 2.0.18, so why release pre-releases?

>> Because another problem was found, it corrects it collectively. 
>
> The correction of stability version (stable-2-0) source of CVS has 
> corrected and development version (HEAD) sources. 

That's fine, but I'm not running against CVS, and you haven't released
a 2.0.17.

Thanks,

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available


More information about the Namazu-devel-en mailing list