www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Barklund@hyperreal.org, Jonas <jo...@csd.uu.se>
Subject mod_log-any/1670: Double quotes in HTTP request line bungle common log
Date Wed, 14 Jan 1998 14:32:25 GMT

>Number:         1670
>Category:       mod_log-any
>Synopsis:       Double quotes in HTTP request line bungle common log
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Jan 14 06:40:00 PST 1998
>Last-Modified:
>Originator:     jonas@csd.uu.se
>Organization:
apache
>Release:        1.2.5
>Environment:
SunOS 5.5.1, SUN SparcServer 20
>Description:
(This is related to PR 1598.)
In the Common Log Format, the HTTP request line
is the fifth field and enclosed in double quotes.  Here is the request line
of a recent log entry from our server:

"GET /"d49her/calvin/jumpstation.html HTTP/1.0"

(Note how the user has entered a double quote instead of a squiggle.)
In order to make it possible to parse a line in the
log (with reasonable convenience), double quotes appearing in the request
line ought to be protected so they do not appear to finish the request
line field.
>How-To-Repeat:
Submit a request containing a double quote in the local part.
>Fix:
When writing the request line to the log (between double quotes),
replace " with \", \ with \\ and newline with \n (the usual C style
conventions).  Typical request lines do not include any of ", \ or newline
and will not be affected by this, but bogus requests will no longer mess up
the log
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message