Comment 9 for bug 1638957

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed http-parser version 2.1-2 as checked into zesty. This shouldn't
be considered a full security audit but rather a quick gauge of
maintainability.

No CVEs in our database

- http-parser provides an API with callbacks to handle HTTP parsing. It
  doesn't do any networking itself, strictly protocol parsing.

- Build-Depends: debhelper, dh-exec, dpkg-dev
- Does not daemonize
- No maintainer scripts
- No initscripts
- No dbus services
- No setuid
- No binaries in PATH
- No sudo fragments
- No udev rules
- Tests are run during the build; they're ugly in the build logs but
  they're there
- No cron jobs
- Clean build logs

- No subprocesses spawned
- No memory management
- No file IO
- No logging
- No environment variables
- No networking
- No privileged sections of code
- No cryptography
- No tmp files
- No webkit
- No JS
- No PolicyKit
- Clean cppcheck

http-parser is a by-hand character-by-character http parser. http is not
easy so neither is this code but it's remarkably clean given the
complexity involved. The state transitions are clearly labeled, error
handling appears defensive, bounds appeared to be checked.

Security team ACK for promoting http-parser to main.

Thanks