httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bill Stoddard <>
Subject Re: cvs commit: httpd-2.0/modules/generators mod_cgi.c
Date Tue, 24 Aug 2004 12:51:40 GMT
André Malo wrote:

> * wrote:
>>stoddard    2004/08/23 18:49:59
>>  Modified:    modules/generators mod_cgi.c
>>  Log:
>>  Escape bytes returned by the errfn because it might be from an untrusted
>>  source
> Could you ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED it for those who don't want it?
> nd

Sorry, I have no time to spend on it. From a quick look at the code, it seems that it is possible
for the 
errfn to log header fields which is why I choose to escape the string. Why wouldn't you want
to escape the 
string just to be safe? The errfn is only called on a (hopefully) infrequently encountered
error path, so 
performance shouldn't be an issue. What other reasons would there be for not escaping the
string? To prevent 
an 'obfuscated' error message?


View raw message