Re: Commit crasher fix to libsoup?
- From: Dan Winship <danw novell com>
- To: nielsen memberwebs com
- Cc: libsoup-list gnome org
- Subject: Re: Commit crasher fix to libsoup?
- Date: Tue, 11 Jul 2006 12:30:57 -0400
Nate Nielsen wrote:
>> No... RFC 2617 says that any auth response containing a challenge must
>> contain a realm token, so the server response here is invalid, and
>> soup_auth_new_from_header_list() should be returning NULL rather than
>> returning a SoupAuth with a NULL realm.
> RFC doesn't say that the app should crash. If a application using
> libsoup segfaults on invalid input, then that would seem to me to be
> security bug that needs to be fixed.
Right, as I said, I think the fix should be to return NULL from
soup_auth_new_from_header_list() in this case. That would fix the crash,
because then every SoupAuth would always have a realm, so the strcmp in
soup-session would always be safe.
>> What server is this that's
>> sending that response back?
> This is a proprietary app server. But that's not the point.
Well, it is, because if you wrote the server, then I can make soup
ignore its malformed WWW-Authenticate response, and tell you to fix your
server, and not feel guilty. Whereas if you don't control the server,
then I either need to make libsoup cope with its bad response, or feel
guilty about not doing it. :)
] [Thread Prev