[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    RE: XML-RPC security question and Apache implementation
From:       Pannese_Donald () emc ! com
Date:       2006-05-03 17:53:53
Message-ID: A052A09408B33B4A90E5A3F9A5321262079263AE () corpmxgmm3 ! corp ! emc ! com
[Download RAW message or body]

Thanks for the info Adam.

-Don

-----Original Message-----
From: Adam Taft [mailto:adam@hydroblaster.com] 
Sent: Wednesday, May 03, 2006 1:06 PM
To: xmlrpc-user@ws.apache.org
Subject: RE: XML-RPC security question and Apache implementation

Don,

The original Apache code came from the helma source code, you are right.  
The young versions of the code (version 1.x) is very similar to the helma 
source code.

I use the 1.2b (?) version of the software (ie. a version based on the 
Helma source code).  The problem you suggest has been fixed.  I just read 
the code that fixes the problem.  Download the source code and read it 
yourself.  Look in the Invoker class.

None-the-less, the later versions of the code (version 2.x and 3.x) are 
pretty much rewrites from the original code.  That is, there's very little 
if any source code the same between the 1.x and the 2.x+ branches.  Again, 
download the code and check for yourself.  So, Georg's reply to you was 
accurate.

Why are you fanning flames?  It seems like you're trying to pick a fight?

1)  The original code, based on Helma, has the fix in place that you 
mention.

2)  Later versions of Apache's XmlRpc code are not based on the Helma 
code.

I'm not seeing an issue here.  Remember, this is open source software.  If 
you have a question or problem with the source code, you're probably best 
to answer these questions yourself by examining the very source code in 
question.

Adam


On Tue, 2 May 2006 Pannese_Donald@emc.com wrote:

> Really? That is strange because when you go to
> http://classic.helma.at/hannes/xmlrpc/ which is the old site of the helma
> release it points you to the Apache site because Apache adopted the Helma
> code.
> 
> So why is the software I point to totally different? Is it not the
software
> that Apache adopted (and modified later)?
> 
> -Don 
> 
> -----Original Message-----
> From: Georg Sauer-Limbach [mailto:gsl@gslweb.de] 
> Sent: Tuesday, May 02, 2006 5:38 PM
> To: xmlrpc-user@ws.apache.org
> Subject: Re: XML-RPC security question and Apache implementation
> 
> Pannese_Donald@emc.com wrote:
> > So I was just wondering
> > if the Apache implementation patched this problem.
> > 
> > http://xmlrpc-c.sourceforge.net/hacks/helma-xmlrpc-introspection.diff
> 
> This software you are pointing to is totally different from
> Apache's XML-RPC implementation. The bugs and security wholes
> were in that other software, not in Apache XML-RPC.
> 
> Georg
> 

[prev in list] [next in list] [prev in thread] [next in thread]