You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Bill Stoddard <bi...@wstoddard.com> on 2002/04/17 22:41:42 UTC

ap_rlog_error() behaviour in Apache 2

I am not at all sure I like ap_rlog_error() adding an error-notes (to r->notes) under the
covers.  For those that are not familer with this,  if you call ap_rlog_error() for a
failed request, the first call will copy your log message to the output stream sent back
to the client. You can end up with stuff on the response that perhaps you didn't intend
(like the full path to a CGI script that failed to run, or perhaps even unescaped user
data).

I am thinking that the second arg of ap_rlog_error()  should take a new option, something
like APR_LOG_RESPONSE or APR_LOG_ERROR-NOTES, that tells ap_rlog_error() to add the
message to error-notes. If you leave off this option, then r->notes will NOT be modified
(and your error message will not be echoed back to the client).

Any opinions?

Bill

Re: ap_rlog_error() behaviour in Apache 2

Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.

At 03:41 PM 4/17/2002, Bill Stoddard wrote:
>I am not at all sure I like ap_rlog_error() adding an error-notes (to 
>r->notes) under the
>covers.  For those that are not familer with this,  if you call 
>ap_rlog_error() for a
>failed request, the first call will copy your log message to the output 
>stream sent back
>to the client. You can end up with stuff on the response that perhaps you 
>didn't intend
>(like the full path to a CGI script that failed to run, or perhaps even 
>unescaped user
>data).
>
>I am thinking that the second arg of ap_rlog_error()  should take a new 
>option, something
>like APR_LOG_RESPONSE or APR_LOG_ERROR-NOTES, that tells ap_rlog_error() 
>to add the
>message to error-notes. If you leave off this option, then r->notes will 
>NOT be modified
>(and your error message will not be echoed back to the client).

What if, instead or in addition to your idea, we make the ClientDebugErrors 
on|off
directive default to 'off', meaning NO notes to the client.

If they want to turn them on for debugging, they can work in development 
without
consulting with the error log.

But I'd emit a warning every time the server is started in the error log 
that the
option is -enabled-.

And, as a per-dir sort of thing, there could be a /test/ location or directory
that provides this feedback, without enabling it globally for a server.

Bill