© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
I reviewed http-parser version 2.1-2 as checked into zesty. This shouldn't
be considered a full security audit but rather a quick gauge of
maintainability.
No CVEs in our database
- http-parser provides an API with callbacks to handle HTTP parsing. It
doesn't do any networking itself, strictly protocol parsing.
- Build-Depends: debhelper, dh-exec, dpkg-dev
- Does not daemonize
- No maintainer scripts
- No initscripts
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- Tests are run during the build; they're ugly in the build logs but
they're there
- No cron jobs
- Clean build logs
- No subprocesses spawned
- No memory management
- No file IO
- No logging
- No environment variables
- No networking
- No privileged sections of code
- No cryptography
- No tmp files
- No webkit
- No JS
- No PolicyKit
- Clean cppcheck
http-parser is a by-hand character-
easy so neither is this code but it's remarkably clean given the
complexity involved. The state transitions are clearly labeled, error
handling appears defensive, bounds appeared to be checked.
Security team ACK for promoting http-parser to main.
Thanks