v m | 6 Oct 07:53 2005

cross compile error


hi , i am new to this group
i am compiling libwww for arm-elf target. I have given the following configure options and i am getting the following errors .

CC=/Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc ./configure --host=i686-pc-linux-gnu --target=arm-elf --prefix=/Mozilla/spa/armutils/toolchain
loading cache ./config.cache
checking host system type... i686-pc-linux-gnu
checking target system type... arm-unknown-elf
checking build system type... i686-pc-linux-gnu
checking for a BSD compatible install... (cached) /usr/bin/install -c
checking whether build environment is sane.... yes
checking whether make sets ${MAKE}... (cached) yes
checking for working aclocal... found
checking for working autoconf... found
checking for working automake... found
checking for working autoheader... found
checking for working makeinfo... found
checking for gcc... (cached) /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc
checking whether the C compiler (/Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc  ) works... yes
checking whether the C compiler (/Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc  ) is a cross-compiler... yes
checking whether we are using GNU C... (cached) yes
checking whether /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc accepts -g... (cached) yes
checking for POSIXized ISC... no
checking for Cygwin environment... (cached) no
(cached) no
checking for executable suffix... (cached) no
checking for ranlib... (cached) ranlib
checking for ld used by GCC... (cached) /Mozilla/spa/armutils_2.5.87.1/toolchain/arm-elf/bin/ld
checking if the linker (/Mozilla/spa/armutils_2.5.87.1/toolchain/arm-elf/bin/ld) is GNU ld.... (cached) yes
checking for BSD-compatible nm... (cached) /usr/bin/nm -B
checking whether ln -s works... (cached) yes
loading cache ./config.cache within ltconfig
checking for object suffix... o
checking for executable suffix... (cached) no
checking for /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc option to produce PIC... -fPIC
checking if /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc PIC flag -fPIC works... yes
checking if /Mozilla/spa/armutils_2..5.87.1/toolchain/bin/arm-elf-gcc supports -c -o file.o... yes
checking if /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc supports -c -o file.lo... yes
checking if /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc supports -fno-rtti -fno-exceptions ... yeschecking if /Mozilla/spa/armutils_2.5.87.1/toolchain/bin/arm-elf-gcc static flag -static works... -static
checking if the linker (/Mozilla/spa/armutils_2.5.87.1/toolchain/arm-elf/bin/ld) is GNU ld... yes
checking whether the linker (/Mozilla/spa/armutils_2.5.87.1/toolchain/arm-elf/bin/ld) supports shared libraries... yes
checking command to parse /usr/bin/nm -B output.... ok
checking how to hardcode library paths into programs... immediate
checking for /Mozilla/spa/armutils_2.5.87.1/toolchain/arm-elf/bin/ld option to reload object files... -r
checking dynamic linker characteristics... Linux ld.so
checking if libtool supports shared libraries.... yes

  and some processing and gives the following error
 

checking for uid_t in sys/types.h... yes
checking for pid_t... yes
checking type of array argument to getgroups... gid_t
checking for mode_t... yes
checking for size_t... yes
checking return type of signal handlers... void
checking for BOOLEAN... no
checking for u_char... yes
checking for u_short... yes
checking for u_long... yes
checking size of char... configure: error: can not run test program while cross compiling



please help me to get out of this error.




rahul | 10 Oct 14:10 2005

Re: [Sven.Laaks


hiiiii
can anybody tell how to link SSL with libwwww.
as i tried to call SSL function in HTTCP.c for the purpose of server 
authentication, it is giving followin errors
HTSSL_init()
is undefined

please help
Thanks & Regards
rahul

Jose Kahan | 14 Oct 11:00 2005
Picon

libwww security advisory

Hi Vic,

Have you seen this security advisory about a DoS problem in libwww?
As the current release has that problem, maybe we should remove it
and put in a new one, that includes all your code. 

However. one thing that bothers me in making a new release is that
the Changelog has not been updated. Its purpose was to log all the
changes done to the libwww tree. Without it, there's no way of documenting
what changes people should expect between the two versions. Maybe you have
documented them elsewhere?

-jose

1. http://secunia.com/advisories/17119/
2. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159597
GAJA RAVI SANKAR | 14 Oct 12:00 2005
Picon

cross compile


hi all,
im trying to cross compile (libwww-5.2.8/ libwww-5.3.2/ libwww-5.4.0/) , for
my arm platform , from pc(x86)
i kud not even configure,it stops like this

..................................
checking size of time_t... 4
checking for size_t... (cached) yes
checking size of size_t... 4
configure: error: cannot run test program while cross compiling
See `config.log' for more details.

i googled a lot and found, scratchbox's (cross compiler) cpu transparency ,
would help solve the prblem
i tried that in vain,
IS there any other way i kud do it.

greetings
gaja ravi

---------------------------------------------------------------------------
       "This e-mail and any files transmitted with it are for the sole use
of the intended recipient(s) and may contain confidential and privileged
information. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.

       Any unauthorized review, use, disclosure, dissemination, forwarding,
printing or copying of this email or any action taken upon this e-mail is
strictly prohibited and may be unlawful."
---------------------------------------------------------------------------

Jose Kahan | 14 Oct 13:08 2005
Picon

Re: libwww security advisory

I forgot to explain those links!

[1] is the advisory. [2] gives a patch. There's also a mention
of other patches to fix other problems. I don't believe they tried
to contribute them to the www-lib mailing list, though.

-jose

1. http://secunia.com/advisories/17119/
2. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159597

Vic Bancroft | 14 Oct 14:38 2005
Picon
Picon

Re: libwww security advisory


Jose Kahan wrote:

>[1] is the advisory. [2] gives a patch. There's also a mention
>of other patches to fix other problems. 
>
Ya, I have now read the advisory and the bugzilla entry and am reviewing 
Sam's new code for HTBound.c . . . It should not be a problem to include 
it with appropriate revisions to the Changelog file for a new release. 

I am resetting my account with the Redhat Bugzilla in order to make an 
appropriate comment there.  It would also be prudent to do a report of 
libwww bugs reported there to see if anything else pops up.

>I don't believe they tried to contribute them to the www-lib mailing list, though.
>  
>
Yea, I watch the list and have not seen it.  Posts with code or diffs 
get applied fairly quickly . . .

more,
l8r,
v

>1. http://secunia.com/advisories/17119/
>2. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159597
>  
>

--

-- 
"The future is here. It's just not evenly distributed yet."
 -- William Gibson, quoted by Whitfield Diffie

[3] https://bugzilla.redhat.com/bugzilla/report.cgi?query_format=report-table&short_desc_type=allwordssubstr&short_desc=&product=Bugzilla&product=eCos&product=Fedora+Core&product=Fedora+Directory+Server&product=Fedora+Documentation&product=Fedora+Extras&product=Fedora+Infrastructure&product=Fedora+Legacy&product=Fedora+Management+Console&product=Red+Hat+Academy&product=Red+Hat+Application+Server&product=Red+Hat+Application+Server+Public+Beta&product=Red+Hat+Cluster+Suite&product=Red+Hat+Collaboration+Applications&product=Red+Hat+Contrib%7CNet&product=Red+Hat+Database&product=Red+Hat+Developer+Program&product=Red+Hat+Developer+Suite&product=Red+Hat+Enterprise+CMS&product=Red+Hat+Enterprise+Linux&product=Red+Hat+Enterprise+Linux+Public+Beta&product=Red+Hat+Enterprise+Portal+Server&product=Red+Hat+High+Availability+Server&product=Red+Hat+Linux&product=Red+Hat+Linux+Beta&product=Red+Hat+Network&product=Red+Hat+Powertools&product=Red+Hat+Powertools+Public+Beta&product=Red+Hat+Public+Beta&product=Red+Hat+Raw+Hide&product=Red+Hat+Ready+Certification+Tests&product=Red+Hat+Secure+Web+Server&product=Red+Hat+Web+Application+Framework&product=Red+Hat+Web+Site&product=Source-Navigator&product=Stronghold+4.0+for+Red+Hat+Advanced+Server&product=Stronghold+Cross+Platform&product=Stronghold+for+Red+Hat+Linux&version=%28fedora.us%29+1&version=%28fedora.us%29+2&version=%28fedora.us%29+RH9&version=1.0&version=1.0-beta1&version=1.0-beta2&version=1.1&version=1.2&version=1.2.1&version=1.2.10&version=1.2.2&version=1.2.3&version=1.2.4&version=1.2.5&version=1.2.6&version=1.2.7&version=1.2.8&version=1.2.9&version=1.3.1&version=1.3.10&version=1.3.11&version=1.3.12&version=1.3.13&version=1.3.14&version=1.3.15&version=1.3.2&version=1.3.3&version=1.3.4&version=1.3.5&version=1.3.6&version=1.3.7&version=1.3.8&version=1.3.9&version=1.4.1&version=1.4.2&version=1.4.3&version=1.4.4&version=1.4.5&version=1.4.6&version=1.4.7&version=1.4.8&version=1.4.9&version=1.5&version=1.5.1&version=1.5.2&version=1.5.3&version=1.5.4&version=1.5.5&version=1.6&version=1.7&version=1.8&version=2&version=2.0&version=2.0+beta+1&version=2.0-beta&version=2.1&version=2.15&version=2.17&version=2.18&version=2.1AS&version=2.1DE&version=2.1ES&version=2.1r&version=2.1rC&version=2.1WS&version=2.2&version=2.8&version=3&version=3.0&version=3.1&version=3.2&version=4&version=4.0&version=4.2&version=4.5.1&version=5.0&version=5.1&version=5.2&version=6.0&version=6.1&version=6.1.90&version=6.1.91&version=6.2&version=6.2EE&version=6.2J&version=7.0&version=7.0J&version=7.0tc&version=7.1&version=7.1k&version=7.2&version=7.2c-RC1&version=7.3&version=8.0&version=9&version=alpha+1&version=alpha+2&version=alpha+3&version=AS-beta1&version=AS-beta2&version=AS-beta3&version=beta&version=beta1&version=beta2&version=beta3&version=beta4&version=beta5&version=core1&version=current&version=CVS&version=devel&version=fc1&version=fc2&version=fc3&version=fc3test1&version=fc3test2&version=fc3test3&version=fc4&version=fc4test1&version=fc4test2&version=fc4test3&version=fisher&version=GinGin64&version=limbo&version=nightly&version=null&version=pensacola&version=phoebe&version=prebeta&version=Q1+Errata+Beta&version=Q2+Errata+Beta&version=Q3+Errata+Beta&version=RC1&version=RC2&version=RC3&version=rhel21-update&version=rhel3-update&version=rhel4-beta1&version=rhel4-beta2&version=rhel4-rc1&version=rhel4-update&version=rhl7.3&version=rhl9&version=RHN+Devel&version=RHN+Stable&version=rhn250&version=rhn260&version=rhn260e&version=rhn270&version=rhn280&version=rhn290&version=rhn300&version=rhn310&version=rhn320&version=rhn330&version=rhn340&version=rhn350&version=rhn360&version=rhn370&version=rhn400&version=rhn410&version=roswell&version=skipjack-beta1&version=skipjack-beta2&version=test1&version=test2&version=test3&version=unspecified&version=wolverine&component=w3c-libwww&component_text=&query_format=report-table&bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=RESOLVED&bug_status=CLOSED&bug_status=NEEDINFO&bug_status=MODIFIED&bug_status=ASSIGN_TO_PM&bug_status=INVESTIGATE&bug_status=SPEC&bug_status=ON_DEV&bug_status=QA_READY&bug_status=ON_QA&bug_status=PROD_READY&bug_status=FAILS_QA&bug_status=UNCONFIRMED&bug_status=NEEDINFO_REPORTER&bug_status=NEEDINFO_PM&bug_status=NEEDINFO_ENG&bug_status=PASSES_QA&bug_status=RELEASE_PENDING&bug_status=NEEDINFO_QA

Vic Bancroft | 15 Oct 18:28 2005
Picon
Picon

Re: libwww security advisory


Getting ready for a new version of cumulative bug fixes, does it looks 
like 5.5.0 ?

Sam Varshavchik wrote:

> Back in June, I tried to figure out who contact about this.  [...] I 
> must've overlooked the mailing list.

Ya, we tend to keep a low profile . . . in any case, we should go ahead 
and put out a new revision/version.
The ChangeLog.diff prior to your patch looks like,

    Index: ChangeLog
    ===================================================================
    RCS file: /sources/public/libwww/ChangeLog,v
    retrieving revision 1.50
    diff -r1.50 ChangeLog
    0a1,64
     > 2005-08-01       Vic Bancroft <bancroft <at> america.net>
     >
     >     * Library/src/: HTAlert.c, HTHeader.c, HTInit.c, HTNet.c,
     >       HTProfil.c, HTProt.c, HTTrans.c: Patch to greatly speed up
     >       repeated requests, from Arthur Smith
     >
     > 2005-07-25       Vic Bancroft <bancroft <at> america.net>
     >
     >     * Library/src/HTSQL.c: modifications to compile without using
     >       deprecated mysql functions
     >     * config/: config.sub, ltmain.sh: updates for recent version of
     >       libtool
     >
     > 2005-04-04       Jose Kahan <jose <at> w3.org>
     >
     >     * INSTALL.html, Library/src/HTEvtLst.c: cleaning
     >
     > 2005-03-09 Vic Bancroft <bancroft <at> america.net>
     >
     >     * libwww-config.in: include -lwwwssl, thanks to mgoddard at
     >       itgs-presearch.com
     >
     > 2005-02-28       Vic Bancroft <bancroft <at> america.net>
     > 07:28  vbancrof
     >
     >     * Library/src/SSL/HTSSLWriter.c: avoids an eternal loop in libwww
     >       (thanks to Steinar Bang)
     >
     > 2005-02-27       Vic Bancroft <bancroft <at> america.net>
     >
     >     * Library/src/SSL/HTSSL.html, Robot/src/RobotMain.c: fix for
    webbot
     >       -v option check and documentation addition
     >     * configure.ac, Library/src/SSL/HTSSL.c,
     >       Library/src/SSL/windows/wwwssl.def, Robot/src/HTRobMan.html,
     >       Robot/src/Makefile.am, Robot/src/RobotMain.c: basic support for
     >       client side certificates using PEM format
     >
     > 2005-01-23       Vic Bancroft <bancroft <at> america.net>
     >
     >     * Library/src/SSL/: HTSSL.c, HTSSLReader.c, HTSSLWriter.c: add
     >       openssl to include for ssl.h and rand.h
     >     * config/: config.guess, config.sub, ltmain.sh: update after
     >       running libtoolize
     >     * Robot/src/Makefile.am: use SSL directory for libwwwssl.la
     >     * Robot/src/RobotMain.c: include HTSSL.h
     >     * configure.ac: fix aclocal underquoting warnings
     >     * Robot/src/: RobotMain.c, Makefile.am: update to enable https
     >       protocol
     >
     > 2005-01-05       Martin Duerst <duerst <at> w3.org>
     >
     >     * Library/src/HTTPReq.c: fixed , to _ in HTTRACE call
     >     * Library/src/HTTPReq.c: removed LIBWWW_USEIDN, because
    unnecessary
     >     * modules/idn/unicode_template.c: forgot one file
     >     * Library/src/HTDNS.html: moved IDN to main branch
     >     * Library/src/HTDNS.c: moved IDN to main branch
     >     * Library/src/HTTPReq.c: added "LIBWWW_USEIDN" conditional
     >     * Library/src/HTTPReq.c: moved IDN to main branch
     >
     > 2004-01-29       Jose Kahan <jose <at> w3.org>
     >
     >     * Library/Overview.html: JK: Added the libwww survey results
     >
     >

> While waiting for the reply, I ran into even more problems with 
> HTBound.c, so I just ended up rewriting it from the beginning.

Okay, your patch looks like,

    16a18,19
     > **   SV Jun 05  Rewrote HTBoundary_put_block.  Fixed many
    bugs+segfaults.
     > **   SV Jul 05  Fix double-counting of processed bytes.
    25a29,30
     > #include "HTNetMan.h"
     > #include "HTChannl.h"
    28c33,34
    < #define PUTBLOCK(b, l)   
    (*me->target->isa->put_block)(me->target, b, l)
    ---
     > #define PUTBLOCK(b, l)    (me->target ?
    (*me->target->isa->put_block)(me->target, b, l):HT_OK)
     >
    33a40
     >     HTNet *                      net;
    39,41d45
    <     BOOL            body;          /* Body or preamble|epilog */
    <     HTEOLState            state;
    <     int                dash;             /* Number of dashes */
    43c47,52
    <     char *            bpos;
    ---
     >
     >     BOOL                        keptcrlf;
     >     int                         (*state)(HTStream *, const char
    *, int);
     >
     >     char                        *boundary_ptr;
     >
    45a55,56
     > PRIVATE int HTBoundary_flush (HTStream * me);
     >
    47a59,73
     > PRIVATE int start_of_line (HTStream * me, const char * b, int l);
     > PRIVATE int seen_dash (HTStream * me, const char * b, int l);
     > PRIVATE int seen_doubledash (HTStream * me, const char * b, int l);
     > PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char
    * b, int l);
     > PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const
    char * b, int l);
     > PRIVATE int seen_delimiter_dash(HTStream * me, const char * b,
    int l);
     > PRIVATE int seen_delimiter_terminal(HTStream * me, const char *
    b, int l);
     > PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char
    * b, int l);
     > PRIVATE int not_delimiter(HTStream * me, const char * b, int l,
    int extra);
     > PRIVATE int seen_nothing(HTStream * me, const char * b, int l);
     > PRIVATE int seen_cr(HTStream * me, const char * b, int l);
     > PRIVATE void process_boundary(HTStream *me, int isterminal);
     >
     > #define UNUSED(l) (l=l)    /* Shut up about unused variables */
     >
    50,79c76,179
    <     const char *start = b;
    <     const char *end = b;
    <     while (l-- > 0) {
    <     if (me->state == EOL_FCR) {
    <         me->state = (*b == LF) ? EOL_FLF : EOL_BEGIN;
    <     } else if (me->state == EOL_FLF) {
    <         if (me->dash == 2) {
    <         while (l>0 && *me->bpos && *me->bpos==*b) l--, me->bpos++,
    b++;
    <         if (!*me->bpos) {
    <             HTTRACE(STREAM_TRACE, "Boundary.... `%s\' found\n" _
    me->boundary);
    <             me->bpos = me->boundary;
    <             me->body = YES;
    <             me->state = EOL_DOT;
    <         } else if (l>0) {
    <             me->dash = 0;
    <             me->bpos = me->boundary;
    <             me->state = EOL_BEGIN;
    <         }
    <         }
    <         if (*b == '-') {
    <         me->dash++;
    <         } else if (*b != CR && *b != LF) {
    <         me->dash = 0;
    <         me->state = EOL_BEGIN;
    <         }
    <     } else if (me->state == EOL_SLF) {        /* Look for closing
    '--' */
    <         if (me->dash == 4) {
    <         if (end > start) {
    <             int status = PUTBLOCK(start, end-start);
    <             if (status != HT_OK) return status;
    ---
     >     /*
     >     ** The HTBoundary object gets attached downstream of HTMime.
     >     ** The HTBoundary object creates another HTMime object
    downstream of
     >     ** the HTBoundary object.
     >     **
     >     ** When we push data downstream to the second HTBoundary
    object, it
     >     ** updates the bytes read count in the HTNet object.
     >     **
     >     ** When we return to the parent HTMime object, itupdates the
     >     ** bytes read count in the HTNet object again.  Oops.
     >     **
     >     ** Same thing happens with the consumed byte count.  We can
    prevent
     >     ** the consumed byte counts from being updated by temporary
    setting
     >     ** the input channel stream pointer to NULL, but for the byte
    counts
     >     ** we have to save them and restore them before existing.
     >     **
     >     ** This bug was discovered by chance when a multipart/partial
    response
     >     ** was partially received, and as a result of double-counting the
     >     ** real response got cut off (because HTMime thought that
    more bytes
     >     ** were processed than actually were, thus it processed only the
     >     ** partial count of the remaining bytes in the response). 
    When the
     >     ** multipart/partial response was received all at once this
    bug did
     >     ** not get triggered.
     >     */
     >
     >     HTHost *host=HTNet_host(me->net);
     >     HTChannel *c=HTHost_channel(host);
     >     HTInputStream *i=HTChannel_input(c);
     >
     >     long saveBytesRead=HTNet_bytesRead(me->net);
     >     long saveHeaderBytesRead=HTNet_headerBytesRead(me->net);
     >
     >     if (i)
     >         HTChannel_setInput(c, NULL);
     >
     >     HTTRACE(STREAM_TRACE, "Boundary: processing %d bytes\n" _ l);
     >     /* Main loop consumes all input */
     >
     >     while (l)
     >     {
     >         int n= (*me->state)(me, b, l);
     >
     >         if (n == 0)
     >             return HT_ERROR;
     >         b += n;
     >         l -= n;
     >     }
     >
     >     if (i)
     >         HTChannel_setInput(c, i);
     >     HTNet_setBytesRead(me->net, saveBytesRead);
     >     HTNet_setHeaderBytesRead(me->net, saveHeaderBytesRead);
     >
     >     return HT_OK;
     > }
     >
     > /*
     > ** Start of line, keptcrlf=YES if we've kept the preceding CRLF
    from downstream
     > ** and we'll pass it along if we decide that this is not a
    boundary delimiter.
     > */
     >
     > PRIVATE int start_of_line (HTStream * me, const char * b, int l)
     > {
     >     if (*b != '-')
     >         return not_delimiter(me, b, l, 0);
     >
     >     HTTRACE(STREAM_TRACE, "Boundary: start of line: input '-'\n");
     >
     >     me->state= seen_dash;
     >
     >     return 1;
     > }
     >
     > /*
     > ** Line: -
     > */
     >
     > PRIVATE int seen_dash (HTStream * me, const char * b, int l)
     > {
     >     if (*b != '-')
     >         return not_delimiter(me, b, l, 1);
     >
     >     HTTRACE(STREAM_TRACE, "Boundary: start of line: input '--'\n");
     >
     >     me->state= seen_doubledash;
     >     me->boundary_ptr=me->boundary;
     >     return 1;
     > }
     >
     > /*
     > ** Line: --
     > */
     >
     > PRIVATE int seen_doubledash (HTStream * me, const char * b, int l)
     > {
     >     me->state=seen_doubledash;
     >
     >     if (*me->boundary_ptr)
     >     {
     >         if (*b != *me->boundary_ptr)
     >         {
     >             return not_delimiter(me, b, l,
     >                          me->boundary_ptr - me->boundary
     >                          + 2);
    81,96c181,411
    <         HTTRACE(STREAM_TRACE, "Boundary.... Ending\n");
    <         start = b;
    <         me->dash = 0;
    <         me->state = EOL_BEGIN;
    <         }
    <         if (*b == '-') {
    <         me->dash++;
    <         } else if (*b != CR && *b != LF) {
    <         me->dash = 0;
    <         me->state = EOL_BEGIN;
    <         }
    <         me->body = NO;
    <     } else if (me->state == EOL_DOT) {
    <         int status;
    <         if (me->body) {
    <         if (me->target) FREE_TARGET;
    ---
     >         ++me->boundary_ptr;
     >         return 1;
     >     }
     >
     >     /*
     >     ** Line: --delimiter
     >     */
     >
     >     if (*b == '-')
     >     {
     >         HTTRACE(STREAM_TRACE,
     >             "Boundary: start of line: input '--%s-'\n"
     >             _ me->boundary);
     >
     >         me->state=seen_delimiter_dash;
     >         return 1;
     >     }
     >
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: Found: '--%s'\n" _ me->boundary);
     >    
     >     return seen_delimiter_nonterminal(me, b, l);
     > }
     >
     > /*
     > ** Line: --delimiter
     > **
     > ** Waiting for CRLF.
     > */
     >
     >
     > PRIVATE int seen_delimiter_nonterminal(HTStream * me, const char
    * b, int l)
     > {
     >     UNUSED(l);
     >
     >     me->state=seen_delimiter_nonterminal;
     >     if (*b == CR)
     >         me->state=seen_delimiter_nonterminal_CR;
     >
     >     return 1;
     > }
     >
     > /*
     > ** Line: --delimiter<CR>
     > */
     >
     > PRIVATE int seen_delimiter_nonterminal_CR(HTStream * me, const
    char * b, int l)
     > {
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: Found: '--%s<CR>'\n" _ me->boundary);
     >    
     >     if (*b != LF)
     >         return seen_delimiter_nonterminal(me, b, l);
     >
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: Found: '--%s<CR><LF>'\n" _ me->boundary);
     >    
     >     process_boundary(me, NO);
     >     return 1;
     > }
     >
     > /*
     > ** Line: --delimiter-
     > */
     >
     > PRIVATE int seen_delimiter_dash(HTStream * me, const char * b, int l)
     > {
     >     if (*b != '-')
     >         return seen_delimiter_nonterminal(me, b, l);
     >
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: start of line: input '--%s--'\n"
     >         _ me->boundary);
     >    
     >     me->state=seen_delimiter_terminal;
     >     return 1;
     > }
     >
     > /*
     > ** Line: --delimiter--
     > */
     >
     > PRIVATE int seen_delimiter_terminal(HTStream * me, const char *
    b, int l)
     > {
     >     UNUSED(l);
     >
     >     me->state=seen_delimiter_terminal;
     >
     >     if (*b == CR)
     >         me->state=seen_delimiter_terminal_CR;
     >     return 1;
     > }
     > /*
     > ** Line: --delimiter--<CR>
     > */
     >
     > PRIVATE int seen_delimiter_terminal_CR(HTStream * me, const char
    * b, int l)
     > {
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: Found '--%s--<CR>'\n"
     >         _ me->boundary);
     >    
     >     if (*b != LF)
     >         return seen_delimiter_terminal(me, b, l);
     >     HTTRACE(STREAM_TRACE,
     >         "Boundary: Found '--%s--<CR><LF>'\n"
     >         _ me->boundary);
     >    
     >     process_boundary(me, YES);
     >     return 1;
     > }
     >
     > /*
     > ** Beginning of the line does not contain a delimiter.
     > **
     > **
     > ** extra: Count of characters in a partially matched delimiter. 
    Since it's
     > ** not a delimiter this is content that needs to go downstream.
     > */
     >
     > PRIVATE int not_delimiter(HTStream * me, const char * b, int l,
    int extra)
     > {
     >     HTTRACE(STREAM_TRACE, "Boundary: not a delimiter line\n");
     >    
     >     if (me->keptcrlf)
     >     {
     >         HTTRACE(STREAM_TRACE, "Boundary: Sending previous line's
    <CR><LF>\n");
     >         /*
     >         ** Did not process CRLF from previous line, because prev CRLF
     >         ** is considered a part of the delimiter.  See MIME RFC.
     >         */
     >
     >         me->keptcrlf=NO;
     >         if (PUTBLOCK("\r\n", 2) != HT_OK)
     >             return 0;
     >     }
     >
     >     /*
     >     ** Potentially matched some of: --DELIMITER
     >     */
     >
     >     if (extra)
     >     {
     >         HTTRACE(STREAM_TRACE, "Boundary: Sending
    partially-matched %d characters\n" _ extra);
     >
     >         if (PUTBLOCK("--", extra > 2 ? 2:extra) != HT_OK)
     >             return 0;
     >
     >         if (extra > 2)
     >             if (PUTBLOCK(me->boundary, extra-2) != HT_OK)
     >                 return 0;
     >     }
     >     return seen_nothing(me, b, l);
     > }
     >
     > /*
     > ** We're not looking for a delimiter.  Look for the next line of
    input
     > ** in the data that could potentially be a delimiter.
     > */
     >
     > PRIVATE int seen_nothing(HTStream * me, const char * b, int l)
     > {
     >     int i;
     >
     >     me->state=seen_nothing;
     >
     >     for (i=0; i<l; i++)
     >     {
     >         if (b[i] != CR)
     >             continue;
     >
     >         /*
     >         ** If we have at least four more characters in unconsumed
     >         ** input, and they're not \r\n--, we can safely skip over
     >         ** them.
     >         */
     >
     >         if (l-i > 4 &&
     >             strncmp(b+i, "\r\n--", 4))
     >             continue;
     >         break;
     >     }
     >
     >     if (i == 0)
     >     {
     >         /* Could only be a CR here. */
     >
     >         me->state=seen_cr;
     >         return 1;
     >     }
     >
     >     HTTRACE(STREAM_TRACE, "Boundary: Processed %d (out of %d)
    bytes\n"
     >         _ i _ l);
     >
     >     if (PUTBLOCK(b, i) != HT_OK)
     >         return 0;
     >
     >     return i;
     > }
     >
     > /*
     > ** State: seen a CR
     > */
     >
     > PRIVATE int seen_cr(HTStream * me, const char * b, int l)
     > {
     >     HTTRACE(STREAM_TRACE, "Boundary: Processed <CR>\n");
     >
     >     if (*b != LF)
     >     {
     >         HTTRACE(STREAM_TRACE, "Boundary: ... <LF> didn't follow\n");
     >         if (PUTBLOCK("\r", 1) != HT_OK)
     >             return 0;
     >         return seen_nothing(me, b, l);
     >     }
     >
     >     HTTRACE(STREAM_TRACE, "Boundary: Processed <CR><LF>\n");
     >     me->state=start_of_line;
     >     me->keptcrlf=YES;
     >     return 1;
     > }
     >
     > PRIVATE void process_boundary(HTStream *me, int isterminal)
     > {
     >     HTBoundary_flush(me);
     >     if (me->target) FREE_TARGET;
     >     me->target=NULL;
     >     me->state=start_of_line;
     >     me->keptcrlf=NO;
     >
     >     if (!isterminal)
    100,121d414
    <         if (end > start) {
    <             if ((status = PUTBLOCK(start, end-start)) != HT_OK)
    <             return status;
    <         }
    <         } else {
    <         if (me->debug)
    <             if ((status = PUTDEBUG(start, end-start)) != HT_OK)
    <             return status;
    <         }
    <         start = b;
    <         if (*b == '-') me->dash++;
    <         me->state = EOL_SLF;
    <     } else if (*b == CR) {
    <         me->state = EOL_FCR;
    <         end = b;
    <     } else if (*b == LF) {
    <         if (me->state != EOL_FCR) end = b;
    <         me->state = EOL_FLF;
    <     }
    <     b++;
    <     }
    <     return (start<b && me->body) ? PUTBLOCK(start, b-start) : HT_OK;
    123a417
     >
    136c430,432
    <     return (*me->target->isa->flush)(me->target);
    ---
     >     if (me->target == NULL)
     >         return HT_OK;
     >     return (*me->target->isa->flush)(me->target);
    184a481,484
     >
     >     UNUSED(param);
     >     UNUSED(input_format);
     >
    190c490,491
    <     me->request = request;
    ---
     >     me->net = HTRequest_net(request);
     >      me->request = request;
    194c495,498
    <     me->state = EOL_FLF;
    ---
     >
     >     me->state = start_of_line;
     >     me->keptcrlf=NO;
     >
    196c500
    <     me->bpos = me->boundary;
    ---
     >

We might want to apply that to our sandboxes and see if anything else 
breaks . . .

more,
l8r,
v

--

-- 
"The future is here. It's just not evenly distributed yet."
 -- William Gibson, quoted by Whitfield Diffie

Vic Bancroft | 16 Oct 02:09 2005
Picon
Picon

Re: libwww security advisory


Sam Varshavchik wrote:

> Vic Bancroft writes:
>
>> Okay, your patch looks like,
>
> [ . . . ]

Oh, sorry for not being more clear.  The patch I posted was pretty much 
the result of

    [bancroft <at> hilbert libwww]$ wget
    https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=118820
    [bancroft <at> hilbert libwww]$ mv attachment.cgi\?id\=118820 HTBound.c
    [bancroft <at> hilbert libwww]$ diff $( find . -name HTBound.c ) | tee
    HTBound.c.diff

My intent was to check in the results of

    [bancroft <at> hilbert libwww]$ patch Library/src/HTBound.c < HTBound.c.diff
    patching file Library/src/HTBound.c

Is there some modification to HTMIME.c that is needed for a complete 
revision ?

It would also help to have some nice examples of these problematic HTTP 
1.1 byte range requests for testing . . .

more,
l8r,
v

--

-- 
"The future is here. It's just not evenly distributed yet."
 -- William Gibson, quoted by Whitfield Diffie

Sam Varshavchik | 16 Oct 02:47 2005

Re: libwww security advisory

Vic Bancroft writes:

> My intent was to check in the results of
> 
>     [bancroft <at> hilbert libwww]$ patch Library/src/HTBound.c < HTBound.c.diff
>     patching file Library/src/HTBound.c
> 
> Is there some modification to HTMIME.c that is needed for a complete 
> revision ?

Nope.  HTMIME.c is ok.

> It would also help to have some nice examples of these problematic HTTP 
> 1.1 byte range requests for testing . . .

The problematic HTTP requests are very timing-dependent.

Try sending an HTTP request for two byte ranges, with each range being 200 
bytes long, and somehow get the HTTP server to return the HTTP header and 
the first 100 bytes of the first byte range in one packet, and have the rest 
of the response follow a few seconds later.

You're trying to arrange for libwww's first read() on the stream to return 
the HTTP header and the first half of the first byte range.  Your goal is to 
have libwww() set up the entire protocol stack with HTBound below HTMIME, 
and have HTBound terminate and unwind all the way back up to the net stream 
layer to read() the rest of the stream, and push it back down.

If you can set up this kind of a test environment, I'm pretty sure you 
should be able to see some bizarre results.

If you do something like this:

HTRequest_addRange(htr, "bytes", (char *)"0-199,200-299");
HTLoadToStream(url, yourstream, htr);

then your stream should expect to receive 400 bytes (presuming that the 
document being requested is at least 400 bytes long).  If you can somehow 
arrange to get the HTTP server's response to have the header and the first 
hundred, or so, bytes in the first packet, and the rest to follow a few 
seconds later, then your stream is going to receive only 200 bytes.  That's 
the behavior I was seeing here.

On a local LAN, thanks to Apache's aggressive buffering, the entire HTTP 
response should fit into a single ~1500 byte packet by default, and you 
won't normally get hit by this.  Even larger responses will probably not 
trigger this bug, due to socket buffering.

If you can't jury-rig a delayed HTTP response, try asking for a pair of one 
megabyte byte ranges, something like: "0-999999,1000000-1999999".  I'm 
pretty sure the original HTBound.c is going to break here, although my 
eyeballs can only vouch for a pair of shorter byte ranges on a very, very 
loaded server :-)

Vic Bancroft | 16 Oct 15:16 2005
Picon
Picon

Re: libwww security advisory


Okay, this security advisory patch is in, and the ChangeLog is fully up 
to date,

    Checking in Library/src/HTBound.c;
    /sources/public/libwww/Library/src/HTBound.c,v  <--  HTBound.c
    new revision: 2.15; previous revision: 2.14
    done
    Checking in ChangeLog;
    /sources/public/libwww/ChangeLog,v  <--  ChangeLog
    new revision: 1.52; previous revision: 1.51
    done

What needs to be done to roll out a new version ?

more,
l8r,
v

--

-- 
"The future is here. It's just not evenly distributed yet."
 -- William Gibson, quoted by Whitfield Diffie


Gmane