Re: Who maintains Tclhttpd?

On May 3, 9:11 am, George Peter Staplin
<georgepsSPAMME...@xxxxxxxxxxxx> wrote:
EL wrote:
Hi,

as I see, the last commits to Tclhttpd on sourceforge
(http://tclhttpd.sourceforge.net/) have been done 2 years ago.

The tracker contains several recent bugs (submitted 2007), but no
discussions, and nobody seems to take care about them... otherwise there
would probably be recent commits, or even a release since 2004.

Bug 1446208 (server is open for XXS attacks) is a very prominent and
scary example. Submitted by nobody on 2006/03/09, assigned to nobody and
nobody discussed. Nobody who submitted the bug had even provided a
"clumsy workaround", but nobody who was assigned to the bug has done
nothing (of course).

According to the project site, Brent B. Welch (who sadly seems to have
been disappeared) and Jeff Hobbs are the official project maintainers.
If Brent and Jeff don't have time or too many other assignments,
wouldn't it make sense to find another maintainer?

It would be sad, if this great piece of software would die...

I think a lot of people have moved to Wub. The Tcler's Wiki is powered
by Wub now. The creator of Wub used to do more than a few commits to
tclhttpd.

http://code.google.com/p/wub/

I've been frustrated by the [gets] security bug. You can crash a
tclhttpd server (due to an out of memory condition) quite easily with:

puts -nonewline $sock [string repeat "GETSTHIS" $someLargeNumber]


If I understand the problem correctly, it could probably be solved by
the new TCL 8.5 [chan pending] command, as in:

set data [gets $sock]
if {[chan pending $sock] > 1024} {
close $sock
}


You can also do it over a period of time, so long as you avoid the
timeout that tclhttpd uses.

Another bug was with Tcl's [fcopy]. I have noticed seemingly random
data truncation with tclhttpd that I believe (after studying the code
paths) was caused by fcopy. tclhttpd uses fcopy. fcopy was buggy, and
it only seems to have been fixed recently. We literally had multiple
bugs in the Tcl tracker for fcopy that went unfixed for years, until
Alexandre Ferrieux recently tracked them down and fixed them. Tcl 8.6
will have the changes.

The XXS potential attack seems to be rather serious, if I understand
what is being implied by that.

There seem to be never ending new ways to exploit the XSS attack.
I would rather deal with it on the application level
(write safe code, reject bad data). Otherwise, IMHO, the server might
soon become bloated with all that security code.
Also, if I understand it correctly, most of the XSS security problems
happen on the client (browser) side.


---Victor
.

Relevant Pages

  • Re: Who maintains Tclhttpd?
    ... the last commits to Tclhttpd on sourceforge ... and nobody seems to take care about them... ... Nobody who submitted the bug had even provided a ... Another bug was with Tcl's [fcopy]. ...
    (comp.lang.tcl)
  • Re: Who maintains Tclhttpd?
    ... The tracker contains several recent bugs, but no discussions, and nobody seems to take care about them... ... Nobody who submitted the bug had even provided a "clumsy workaround", but nobody who was assigned to the bug has done nothing. ... I think a lot of people have moved to Wub. ... The creator of Wub used to do more than a few commits to tclhttpd. ...
    (comp.lang.tcl)
  • Re: [PATCH] Fix /sys/device/.../power/state regression
    ... And the way these things work, unfortunately, is that merging your patch ... would ensure nobody ever gets such interest. ... software which chose to START using an interface that's been on its way ... Any time a bug gets fixed, ...
    (Linux-Kernel)
  • Re: FC2 samba password...
    ... > I remove the nobody from smbpasswd and I restart samba, ... seems to be a bug. ...
    (Fedora)
  • Re: [Diehard] Overlap sum test
    ... >> I'd like to hear some comment based on real facts. ... I pasted your explanation in the source code of my implementation of ... possibly bug and nobody seems interested in that post. ...
    (sci.crypt)