httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_speling.c
Date Thu, 24 Sep 1998 18:06:03 GMT
On Thu, 24 Sep 1998, Dean Gaudet wrote:

> 300s aren't "errors". 

Exactly.  There are so many cases where you may want to log something and
send a "auto generated" response without having it filled with this.

Also, the major security issue of revealing all sorts of information that
formerly was private in the logs isn't dealt with.  That and not giving
anyone a way to disable it.

> 
> This error-notes thing is broken imnsho.  All of a sudden all the useful,
> informative error messages are completely overridden by terse log
> messages... this is a decrease in useability.  If error-notes was sent *in
> addition* to the age old responses I'd be a lot less troubled.
> 
> Dean
> 
> On Wed, 23 Sep 1998, Rodent of Unusual Size wrote:
> 
> > Marc Slemko wrote:
> > > 
> > > I'm a bit confused; why should modules have to do anything special to keep
> > > some obscene thing from taking over their output?  Just because something
> > > logs something to the error log and uses one of Apache's output forms
> > > doesn't mean what they log should be sent to the client!
> > > 
> > > I also didn't notice that this sort of thing is now sent to the client by
> > > default.  Is there even a way to disable it?  That is a bad thing to
> > > just start doing all the time from a security viewpoint.
> > 
> > mod_negotiation and mod_speling use a back door to let
> > ap_send_error_response() know about a variant list.
> > The back door involves putting constructed HTML into the
> > r->notes("variant-list") cell.  If ap_send_error_response()
> > determines that it's processing a 300 error, AND there's
> > a value in that cell, it will construct the error message's
> > content-body from the value.
> > 
> > On the other hand, when ap_send_error_response() starts
> > processing
> > an error, it checks for something in r->notes("error-notes").
> > If it finds something, it uses it in the construction of the
> > content-body of the error page.  This short-circuits the
> > special variant processing code.
> > 
> > So it's not the module's output, directly; it's a hint given
> > to the error handler for that specific error.  As it happens,
> > the general case was dominating the specific.  Manoj's patch
> > just restores things, although mod_negotiation may need a
> > similar patch if it calls ap_log_rerror().  (Haven't checked.)
> > The two simplest possibilities were this route, or to remove
> > the call to ap_log_rerror() in mod_speling altogether.  This
> > seemed the better.
> > 
> > #ken    P-)}
> > 
> > Ken Coar                    <http://Web.Golux.Com/coar/>
> > Apache Group member         <http://www.apache.org/>
> > "Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
> > 
> 


Mime
View raw message