You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Brian Behlendorf <br...@collab.net> on 2001/01/27 18:35:07 UTC

logging error

In the access logs from last night (I log "%v CLF"):

www.apache.org 163.30.90.182 - - [26/Jan/2001:20:10:51 -0800] "GET /_vti_inf.html HTTP/1.1
Date: Sat, 27 Jan 2001 04:04:44 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"

(yes, there's a newline after the HTTP/1.1 there, that gets printed into
the log, making both those log entries bogus)

More examples:

www.apache.org 163.30.90.182 - - [26/Jan/2001:20:10:53 -0800] "OPTIONS / HTTP/1.1
Accept-Language: ja, en-us;q=0.2" 200 182 "-" "Microsoft Data Access Internet Publishing Provider DAV"

www.apache.org 163.30.90.182 - - [26/Jan/2001:20:12:14 -0800] "OPTIONS /images/apache_pb.gif HTTP/1.1
Accept-Language: ja, en-us;q=0.2" 200 182 "-" "Microsoft Data Access Internet Publishing Provider DAV"

www.apache.org 163.30.90.182 - - [26/Jan/2001:20:13:34 -0800] "GET /_vti_inf.html HTTP/1.1
Date: Sat, 27 Jan 2001 04:07:27 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"

www.apache.org 163.30.94.16 - - [26/Jan/2001:22:39:09 -0800] "GET /_vti_inf.html HTTP/1.1
Date: Sat, 27 Jan 2001 06:32:57 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"

	Brian

Re: logging error

Posted by Jeff Trawick <tr...@bellsouth.net>.

Brian Behlendorf <br...@collab.net> writes:

> In the access logs from last night (I log "%v CLF"):
> 
> www.apache.org 163.30.90.182 - - [26/Jan/2001:20:10:51 -0800] "GET /_vti_inf.html HTTP/1.1
> Date: Sat, 27 Jan 2001 04:04:44 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"
> 
> (yes, there's a newline after the HTTP/1.1 there, that gets printed into
> the log, making both those log entries bogus)

One theory is that the client is sending a password in the request
(these are web publishing tools, right?) and that something bad
happened in the hide-password leg of code:

static const char *log_request_line(request_rec *r, char *a)
{
	    /* NOTE: If the original request contained a password, we
	     * re-write the request line here to contain XXXXXX instead:
	     * (note the truncation before the protocol string for HTTP/0.9 requests)
	     * (note also that r->the_request contains the unmodified request)
	     */
    return (r->parsed_uri.password) ? apr_pstrcat(r->pool, r->method, " ",
					 ap_unparse_uri_components(r->pool, &r->parsed_uri, 0),
					 r->assbackwards ? NULL : " ", r->protocol, NULL)
					: r->the_request;
}

Does anybody have FrontPage 4.0 or something which would call itself
"Microsoft Data Access Internet Publishing Provider DAV"?

Any other theories?

> More examples:
> 
> www.apache.org 163.30.90.182 - - [26/Jan/2001:20:10:53 -0800] "OPTIONS / HTTP/1.1
> Accept-Language: ja, en-us;q=0.2" 200 182 "-" "Microsoft Data Access Internet Publishing Provider DAV"
> 
> www.apache.org 163.30.90.182 - - [26/Jan/2001:20:12:14 -0800] "OPTIONS /images/apache_pb.gif HTTP/1.1
> Accept-Language: ja, en-us;q=0.2" 200 182 "-" "Microsoft Data Access Internet Publishing Provider DAV"
> 
> www.apache.org 163.30.90.182 - - [26/Jan/2001:20:13:34 -0800] "GET /_vti_inf.html HTTP/1.1
> Date: Sat, 27 Jan 2001 04:07:27 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"
> 
> www.apache.org 163.30.94.16 - - [26/Jan/2001:22:39:09 -0800] "GET /_vti_inf.html HTTP/1.1
> Date: Sat, 27 Jan 2001 06:32:57 GMT" 404 281 "-" "Mozilla/2.0 (compatible; MS FrontPage 4.0)"

-- 
Jeff Trawick | trawickj@bellsouth.net | PGP public key at web site:
       http://www.geocities.com/SiliconValley/Park/9289/
             Born in Roswell... married an alien...