Re: [libmicrohttpd] [PATCH] Check response existence on upgrade
On Thu, 4 May 2017 23:36:23 +0300 Evgeny Grin wrote: > Thanks! Applied. > Hello Evgeny, After thinking about the issue, I guess that it is a serious vulnerability. I guess that a simple curl request to a server running 0.52 or 0.53 can raise the SEGV. IMHO if curl http://www.myserver.org/path-to-404 returns a 404 error curl -H "Connection: Upgrade" http://www.myserver.org/path-to-404 would raise the issue. I'll let you conclude but a CVE is probably a good idea. Best regards José
Re: [libmicrohttpd] How to close all upgraded connections when shutting down MHD_Daemon?
One of the good things of MHD is its small size, so I totally agree with you. :-) On Thu, May 4, 2017 at 11:20 AM, Christian Grothoff wrote: > You forgot to update doc/libmicrohttpd.texi, otherwise looks OK even > though I'm not convinced SHUTDOWN/QUESTCED are useful: an application > can trivially track those itself, so these two are definitively just API > bloat. > > On 05/04/2017 03:59 PM, silvioprog wrote: > > Done. So dudes, what do you think about this attached patch? > > > -- Silvio Clécio
[libmicrohttpd] issue with suspend/resume
Hi Was there a change in how suspend/resume works? I observe that responses are no more send after resuming. Best regards José Bollo
Re: [libmicrohttpd] How to close all upgraded connections when shutting down MHD_Daemon?
Dude, thanks for the explanation regarding union + bool/char, I did some tests and noticed this issue. Please ignore the sent patch. :-) On Thu, May 4, 2017 at 11:29 AM, Evgeny Grin wrote: > Same for "pending data". > Moreover MHD_DAEMON_INFO_PENDING_DATA is confusing and not correct. > Zero in data_already_pending doesn't mean that no data is pending. Zero > only means that "no data for immediately process". May be socket is not > ready for sending more data, but more data is pending. > > And mapping "bool" to not bool is not correct. union MHD_DaemonInfo > doesn't have "bool" member and currently we do not want to expose "bool" > in public header. > On some platforms "bool" can be implemented as "char". > > -- > Best Wishes, > Evgeny Grin > > On 04.05.2017 17:20, Christian Grothoff wrote: > > You forgot to update doc/libmicrohttpd.texi, otherwise looks OK even > > though I'm not convinced SHUTDOWN/QUESTCED are useful: an application > > can trivially track those itself, so these two are definitively just API > > bloat. > > > > On 05/04/2017 03:59 PM, silvioprog wrote: > >> Done. So dudes, what do you think about this attached patch? > >> > > -- Silvio Clécio
Re: [libmicrohttpd] issue with suspend/resume
Hi José, Shouldn't be any change. Could you provide minimal example? -- Best Wishes, Evgeny Grin On 05.05.2017 17:06, José Bollo wrote: > Hi > > Was there a change in how suspend/resume works? > > I observe that responses are no more send after resuming. > > Best regards > José Bollo > signature.asc Description: OpenPGP digital signature
