httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: log_error_core escaping change broke things
Date Fri, 19 Dec 2003 10:08:10 GMT
André Malo wrote:
> * Stas Bekman <stas@stason.org> wrote:
> 
> 
>>This change:
>>http://cvs.apache.org/viewcvs.cgi/httpd-2.0/server/log.c?r1=1.127.2.4&r2=1.127.2.5&diff_format=h
>>now escapes \n and \t chars. Why in the world would you do that? How are we 
>>supposed to work with multilined and formatted with \t data?
> 
> 
> We aren't. The errorlog is not supposed to store table data. It's *line*
> oriented. I consider this as a long outstanding security fix not a breakage.

Yes, but we use it to log error messages which aren't under our control. e.g. 
from user's programs, like cgi scripts. what are we supposed to do? parse and 
split a multiline message and invoke the logger n times?

What security fault in printing a new line and tab characters? Sorry if I've 
missed this discussion. Any pointers?

I also fail to see server/http_log.h telling anything about this newly 
introduced restriction. It was never documented as line oriented, which means 
that you just changed the public API in the middle of the road, no? May be 
it's OK for 2.1, but definitely not for 2.0, since the moment users upgrade 
their httpd from 2.9.48 to 2.0.49 (when that's released), they won't be very 
happy about this change.

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


Mime
View raw message