[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#798458: RFS: mini-httpd/1.21-1 [ITA] -- Small HTTP server



 ❦ 11 septembre 2015 19:50 +0200, Vincent Bernat <bernat@debian.org> :

>>> The description of fix-mini-httpd-vhost could be "Append port number to
>>> vhost". The name of the patch could be "append-portno-to-vhost.patch". A
>>> bug report number to know why this is done would be great to.
>> fix name.
>> Yes, look [1]
>
> You can include the bug number in the patch (with Bug:). I see that you
> already put it in the changelog but the entry doesn't help to know what
> the patch is about.

In the patch itself, you can include the bug number.

Description: Append port number to vhost.
               Thanks Steffen Grunewald <steffen.grunewald@gmx.net>
Author: Jose dos Santos Junior <j.s.junior@live.com>
Last-Update: 2015-09-05
Bug: http://bugs.debian.org/xxxxx

>>> Also, this
>>> would make the Debian package behaves differently than upstream. Has
>>> this patch been pushed upstream?
>> No, patch suggestion bug number #491078 [1]
>
> The bug is from 2008 and despite numerous releases, it is not present
> upstream. This makes mini-httpd behaves differently in Debian than in
> other distributions or when just compiled from sources.
>
> This will also break setup of people that were relying on the original
> behavior, so you would need to add an entry in NEWS.Debian to advertise
> the change.
>
> I would not include the patch until it is vetted by upstream.

The patch to remove the port number is a deviation from what is done
upstream. mini-httpd in Debian won't behave in the same way as
mini-httpd somewhere else (including in older releases of Debian). The
patch should be pushed upstream and not applied in Debian until it is
applied upstream.

Moreover, if you apply the patch in Debian, you also need to write an
entry in debian/NEWS.Debian to tell the users that the behavior of
mini-httpd has changed. This is totally not worth it.

Just send the patch upstream (with a reference to the bug report). And
don't apply it yet.

>>> The description of fix-mini-httpd could be "Fix buffer overflow in
>>> add_to_response". The name of the patch could be
>>> "add_to_response-buffer-overflow.patch". The stuff about indexes should
>>> be moved out to a different patch: when your patch is applied upstream,
>>> you may discard it and forget about this part.
>>> 
>> Ok, fix name.
>> Yes, when the upstream fix in tarball original I'm remove patch.
>> thanks
>
> The patch still contains an unrelated change about how to find files
> like "index.html". Upstream may never fix the index.mini-httpd.html
> stuff, so you will have to separate the patch at some point. It's better
> to do it now.

The add_to_response-buffer-overflow patch also contains this chunk:

#v+
@@ -1140,8 +1140,8 @@ handle_request( void )
     char* cp;
     int r, file_len, i;
     const char* index_names[] = {
-       "index.html", "index.htm", "index.xhtml", "index.xht", "Default.htm",
-       "index.cgi" };
+       "index.html", "index.mini-httpd.html", "index.htm", "index.xhtml", "index.xht", "Default.htm",
+       "index.cgi", "index.php" };

     /* Set up the timeout for reading. */
 #ifdef HAVE_SIGSET
#v-

This has nothing to do with the overflow problem. You need to put this
chunk into another patch.
-- 
Debian package sponsoring guidelines:
 http://vincent.bernat.im/en/debian-package-sponsoring.html

Attachment: signature.asc
Description: PGP signature


Reply to: