Re: Commit crasher fix to libsoup?

From: Nate Nielsen <nielsen-list memberwebs com>
To: Dan Winship <danw novell com>, libsoup-list gnome org
Subject: Re: Commit crasher fix to libsoup?
Date: Tue, 11 Jul 2006 15:50:18 +0000 (GMT)

Dan Winship wrote:
> Nate Nielsen wrote:
>> The soup-list ximian com doesn't seem to exist (described in
>> libsoup/HACKING)
> 
> Oops. It's libsoup-list gnome org now.

Heh, I should have looked around at mail.gnome.org. I hope it's okay
that we continue this discussion on the list.

>> Attached is a patch which fixes a crasher (when the server sends BASIC
>> auth without a realm="xxx".
>>
>> Ok to commit?
> 
> No... RFC 2617 says that any auth response containing a challenge must
> contain a realm token, so the server response here is invalid, and
> soup_auth_new_from_header_list() should be returning NULL rather than
> returning a SoupAuth with a NULL realm. 

RFC doesn't say that the app should crash. If a application using
libsoup segfaults on invalid input, then that would seem to me to be
security bug that needs to be fixed. Currently it is a remotely
exploitable DOS attack.

bugtraq has issue after issue exactly like this.

> What server is this that's
> sending that response back?

This is a proprietary app server. But that's not the point.

Cheers,
Nate

Follow-Ups:
- Re: Commit crasher fix to libsoup?
  - From: Dan Winship

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]