httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: log_error_core escaping change broke things
Date Fri, 19 Dec 2003 19:27:44 GMT
André Malo wrote:
> * Stas Bekman <stas@stason.org> wrote:
> 
> 
>>Yes, but we use it to log error messages which aren't under our control.
>>e.g. from user's programs, like cgi scripts. what are we supposed to do?
>>parse and split a multiline message and invoke the logger n times?
> 
> 
> post processing, (which was actually hard to do before and safe now).

I lost you here. what post processing?

>>What security fault in printing a new line and tab characters? Sorry if
>>I've missed this discussion. Any pointers?
> 
> 
> The same as in access log. For example, an attacker can fake a log entry by
> injecting a newline into the URL (%0a) and data that looks like a timestamp
> + message. You wouldn't have gotten it.
> \ts are actually questionable. I like the escaping at this point to get a
> clear distinction between spaces and tabs. I'm not sure, however, if there
> are terminals that don't like them.
> 
> References can be found in the CVE-Entry:
> <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020>

That makes sense. I'm not talking about access_log, but error_log. I don't 
think that concern applies to error_log which may contain absolutely anything 
and i fail to see how it would be unsafe. Why not differentiate between 
different logs?

>>I also fail to see server/http_log.h telling anything about this newly 
>>introduced restriction. It was never documented as line oriented, which
>>means that you just changed the public API in the middle of the road, no?
> 
> 
> It was never said/acked to be not line oriented. Where are we now?
> A line in the {access,error}log consists of a timestamp
> and a message. That is expected behaviour, which was broken way too long.

Sorry, Andre, but I think this is an invalid statement. Tomorrow someone will 
decide that logs shouldn't longer than 74 characters, and suggest that the API 
never said/acked to be not 74 lines long? May be it's silly example, but I 
hope you get the idea.

> We may, however, decide to add an #ifdef SECURITY_HOLE_LOG_INJECTION or the
> like to re-add the broken behaviour of not escaping \n.

:(

Actually it's not only about \n and \t, it's about other chars as well. Now I 
get error messages like this:

[Thu Dec 18 23:33:58 2003] [error] [client 127.0.0.1] Fh::new: Variable 
"@SAVED_SYMBOLS" is not available\teval 'package Fh; sub new {\n 
my($pack,$name,$file,$delete) = @_;\n    _setup_symbols(@SAVED_SYMBOLS) if 
@SAVED_SYMBOLS;\n    require Fcntl unless defined &Fcntl::O_RDWR;\n    (my 
$safename = $name) =~ s/([\\':%])/ sprintf \\'%%%02X\\', ord $1 /eg;\n    my 
$fv = ++$FH . $safename;\n    my $ref = \\\\*{"Fh::$fv"};\n    $file =~ 
m!^([a-zA-Z0-9_ \\\\\\'\\\\":/.\\\\$\\\\\\\\-]+)$! || return;\n    my $safe = 
$1;\n 
sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) || 
return;\n    unlink($safe) if $delete;\n    CORE::delete $Fh::{$fv};\n 
return bless $ref,$pack;\n}\n\n;' called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 776\n\tCGI::_compile 
called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
740\n\tCGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3961',0) 
called at (eval 80) line 
59\n\tCGI::read_multipart('CGI=HASH(0x8d42248)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
489\n\tCGI::init('CGI=HASH(0x8d42248)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325\n\tCGI::new('CGI') 
called at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tTestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421a0)') called 
at (eval 95) line 3\n\teval {...} called at (eval 95) line 3\n at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tCGI::_compile called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm 
line 
740\n\tCGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3961',0) 
called at (eval 80) line 
59\n\tCGI::read_multipart('CGI=HASH(0x8d42248)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
489\n\tCGI::init('CGI=HASH(0x8d42248)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325\n\tCGI::new('CGI') 
called at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tTestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421a0)') called 
at -e line 0\n\teval {...} called at -e line 0\n

which is a totally ruined version of:

[Fri Dec 19 00:19:12 2003] [error] [client 127.0.0.1] Fh::new: Variable 
"@SAVED_SYMBOLS" is not available       eval 'package Fh; sub new {
     my($pack,$name,$file,$delete) = @_;
     _setup_symbols(@SAVED_SYMBOLS) if @SAVED_SYMBOLS;
     require Fcntl unless defined &Fcntl::O_RDWR;
     (my $safename = $name) =~ s/([\':%])/ sprintf \'%%%02X\', ord $1 /eg;
     my $fv = ++$FH . $safename;
     my $ref = \\*{"Fh::$fv"};
     $file =~ m!^([a-zA-Z0-9_ \\\'\\":/.\\$\\\\-]+)$! || return;
     my $safe = $1;
     sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) 
|| return;
     unlink($safe) if $delete;
     CORE::delete $Fh::{$fv};
     return bless $ref,$pack;
}

;' called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 776
         CGI::_compile called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 740
 
CGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3845',0) 
called at (eval 80) line 59
         CGI::read_multipart('CGI=HASH(0x8d42268)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 489
         CGI::init('CGI=HASH(0x8d42268)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325
         CGI::new('CGI') called at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
         TestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421c0)') 
called at (eval 95) line 3
         eval {...} called at (eval 95) line 3
  at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
         CGI::_compile called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 740
 
CGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3845',0) 
called at (eval 80) line 59
         CGI::read_multipart('CGI=HASH(0x8d42268)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 489
         CGI::init('CGI=HASH(0x8d42268)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325
         CGI::new('CGI') called at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
         TestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421c0)') 
called at -e line 0
         eval {...} called at -e line 0



__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


Mime
View raw message