1995-10-05 - Re: New Netscape bug (in version 1.12)

Header Data

From: Ray Cromwell <rjc@clark.net>
To: jsw@neon.netscape.com (Jeff Weinstein)
Message Hash: e7ade83b433c26f8211b0c19c9b13fb65c82d2016172306a4c68984a6a8f460d
Message ID: <199510042139.RAA26832@clark.net>
Reply To: <44td0c$3um@tera.mcom.com>
UTC Datetime: 1995-10-05 00:40:11 UTC
Raw Date: Wed, 4 Oct 95 17:40:11 PDT

Raw message

From: Ray Cromwell <rjc@clark.net>
Date: Wed, 4 Oct 95 17:40:11 PDT
To: jsw@neon.netscape.com (Jeff Weinstein)
Subject: Re: New Netscape bug (in version 1.12)
In-Reply-To: <44td0c$3um@tera.mcom.com>
Message-ID: <199510042139.RAA26832@clark.net>
MIME-Version: 1.0
Content-Type: text/plain

Jeff Weinstein wrote:
> >   That's true, but it is also true that Netscape should also be
> > performing some sanity checking on input rather than relying on 
> > the supporting libraries to be secure. Remember, a hole is a hole.
> > The last sendmail bug was a buffer overflow in syslog, however,
> > sendmail still got patched to do bounds checking on the strings
> > it was passing to syslog. 
> > 
> >   It looks like this is only bug on BSDI2.0/XAccel, and NT3.5/NS1.1. But
> > is it wise for netscape to be sending 10,000 character strings to GUI
> > functions anyway? 
>   While I agree that we should probably truncate this string to something
> smaller than 10000 characters(I've already filed a bug on it here), it
> is perfectly legal X protocol to send 10,000 characters to the X server.
> How do I decide what is too long?  For example, when tracking down buffer
> overflow problems for the security patch, we found an undocumented
> static buffer limit of 64 bytes for the hostname passed to gethostbyname()
[lots deleted]

  I agree with a lot of what you say Jeff. What I would do is set the string
limits to be whatever the specs allow. For instance, in the case of
domain names, the limit is supposed to be 256. In a mailto: just what
is the limit of an RFC822 valid e-mail address? 

  I will say that Netscape is a very robust program. I have created documents
with 10,000 nested <UL> lists, and the program didn't dump. I have
created forms with 10,000 selection widgets with overlong labels and variable
names and it handled them (didn't diusplay them very well) However, I am
a little weary of netscape allowing lists and forms having 10,000
levels. For one thing, although the 10,000 nested lists didn't crash
netscape, they did use up all the swap space on my computer except for
300k. A 10K byte document was able to exhaust 32megs of ram.

  When I combined supernested lists, with overlong FORM variable names,
and an extra long title, I did get a few sporadic coredumps. Some people
may have a religious position on browsers limiting SGML/HTML nested
structures (because they feel the browser should be able to handle any
"legal" document), but I for one am more pragmatic. 

  I hope you don't take my criticisms as an attack on your programmers.
Netscape is my all around favorite application. I just want to see it
improved and safer.