httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stas Bekman <s...@stason.org>
Subject Re: log_error_core escaping change broke things
Date Thu, 08 Jan 2004 20:46:32 GMT
Geoffrey Young wrote:
>>Stas, we have closed a well known and remotely exploitable security leak. This
>>goes straight over comfort. If you don't like it, provide an alternative
>>solution. Just nagging or trying to talk the problem away doesn't help.
> 
> is creating a compile-time flag to disable the new-default behavior a simple
> solution that might make everyone happy?

That works for me. What do others think?

Though since it really affects any logging it probably should be called 
UNESCAPED_LOGGING or similar. And probably a similar patch applied to 1.3.

> +#ifdef UNESCAPED_ERROR_LOG
> +    len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
> +
> +    if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
> +        len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
> +                            ", referer: %s", referer);
> +    }
> +#else

__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@stason.org http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com


Mime
View raw message