[1109] in bugtraq
Re: httpd ...
daemon@ATHENA.MIT.EDU (Rens Troost)
Sun Feb 26 18:39:51 1995
To: hobbit@bronze.lcs.mit.edu (*Hobbit*)
Cc: bugtraq@fc.net
In-Reply-To: Your message of "Fri, 24 Feb 1995 16:17:52 EST."
<199502242117.QAA06453@bronze.lcs.mit.edu>
Reply-To: rens@imsi.com
Date: Sun, 26 Feb 1995 17:32:19 -0500
From: Rens Troost <rens@imsi.com>
>>>>> "*Hobbit*" == *Hobbit* <hobbit@bronze.lcs.mit.edu> writes:
*Hobbit*> Why is everyone so hot on bumping up buffer sizes, as
*Hobbit*> opposed to sanitizing and limiting the input TO them?
*Hobbit*> Christ, it seems so OBVIOUS in light of this Sendmail
*Hobbit*> thing.
I think it's important to support ridiculously long URLs; arbitrarily
small URL length limits stop you from being able to accumulate session
state in the URL, which is a nice thing to be able to do. In most web
applications, the state that is kept (like input to queries) is small;
I have some applications that need a lot more.
Proper and careful use of dynamic string libraries is in any case
better than fixed-size buffers; they solve the security problem (with
overflows) and they do not inhibit functionality, as do fixed-size
buffers.
-Rens
