httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Stoddard <b...@wstoddard.com>
Subject Re: cvs commit: httpd-2.0/modules/generators mod_cgi.c
Date Tue, 24 Aug 2004 12:51:40 GMT
André Malo wrote:

> * stoddard@apache.org wrote:
> 
> 
>>stoddard    2004/08/23 18:49:59
>>
>>  Modified:    modules/generators mod_cgi.c
>>  Log:
>>  Escape bytes returned by the errfn because it might be from an untrusted
>>  source
> 
> 
> Could you ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED it for those who don't want it?
> 
> nd

André,
Sorry, I have no time to spend on it. From a quick look at the code, it seems that it is possible
for the 
errfn to log header fields which is why I choose to escape the string. Why wouldn't you want
to escape the 
string just to be safe? The errfn is only called on a (hopefully) infrequently encountered
error path, so 
performance shouldn't be an issue. What other reasons would there be for not escaping the
string? To prevent 
an 'obfuscated' error message?

Bill

Mime
View raw message