httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Montague <m...@catseye.org>
Subject Re: [users@httpd] Log problem with REMOTE_USER containing spaces
Date Mon, 18 Jul 2011 01:19:09 GMT

This is all just my opinion as an individual, but...


On July 17, 2011 15:10 , Tom Browder <tom.browder@gmail.com> wrote:
> In those cases I found that a user tried to enter a $REMOTE_USER name
> with spaces (e.g., "Joe Lee") and the resulting log parse bombed
> because the log format does not have the %u protected by quotes.

> 1.  I can put quotes around the "%u" which will work for me, but now I
> have to mod the parser to always expect it.

I think this is the correct solution for your case.  I think it is very 
common to customize the log format to meet special needs, and Apache 
HTTP Server provides ways to do this.  As this is a feature of Apache 
HTTP Server, log parsing software and other tools should support it.


> 2.  Should the Apache log format be changed?  Is it a bug, or should
> it become a new, named log format?

Why would it be a bug?  Apache HTTP Server is logging the correct 
information.  If there is any problem, it is with any assumption that 
log lines should have space-delimited fields.  However, there are 
already other fields for which this assumption does not hold.


> 3.  Can such a user name be filtered by Apache and replace the space
> with the http URL space encoding '%20' or '+'?

For URLs, URL encoding is a standard convention that is well understood, 
supported, and even required by many tools.  I cannot think of any 
similar convention for user names; introducing encoding into the user 
name field of log entries is not only likely to break many tools, it 
also violates the principle of least surprise


> 4.  Should the auth modules reject such names?

No, if they are valid user names for the authentication method in 
question, the auth module should accept them.  If you do not want to 
allow spaces in user names, configure your underlying authentication 
system (LDAP, Kerberos, a MySQL database) to not allow spaces in its 
user names, and issue new user names to any user that currently has a 
space in their user name.


--
   Mark Montague
   mark@catseye.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message