You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/02/27 17:54:22 UTC

[Bug 60781] New: Access Log Valve does not escape the same as mod_log_config

https://bz.apache.org/bugzilla/show_bug.cgi?id=60781

            Bug ID: 60781
           Summary: Access Log Valve does not escape the same as
                    mod_log_config
           Product: Tomcat 8
           Version: 8.5.11
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: james@howeswho.co.uk
  Target Milestone: ----

It is my understanding that the log format is supposed to match apache2.
However, escaping is not the same.

As a concrete example, if there is a " in the User-Agent and you use the
combined format, apache2 gives

    127.0.0.1 - - [27/Feb/2017:14:31:48 +0000] "GET / HTTP/1.1" 401 17277 "-"
"Agent \"Test\""

While Tomcat gives

    127.0.0.1 - - [27/Feb/2017:14:31:48 +0000] "GET / HTTP/1.1" 401 17277 "-"
"Agent "Test""

The latter cannot be parsed safely.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60781] Access Log Valve does not escape the same as mod_log_config

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60781

--- Comment #1 from Felix Schumacher <fe...@internetallee.de> ---
Created attachment 34787
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34787&action=edit
Escape characters like httpd

I am not sure about the correct handling of chars with values out of the ASCII
range. I believe they are double encoded now. 

But quotes and alike should be escaped correctly.

My first thought was to combine this escaping with ExtendedAccessLogValve, but
it seems, that the quotes are explicitly coded as "" instead of \".

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60781] Access Log Valve does not escape the same as mod_log_config

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60781

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Mark Thomas <ma...@apache.org> ---
Fixed in:
- 10.0.x for 10.0.1 onwards
- 9.0.x for 9.0.42 onwards
- 8.5.x for 8.5.62 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60781] Access Log Valve does not escape the same as mod_log_config

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60781

Felix Schumacher <fe...@internetallee.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #34787|0                           |1
        is obsolete|                            |

--- Comment #2 from Felix Schumacher <fe...@internetallee.de> ---
Created attachment 34788
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34788&action=edit
Escape characters like httpd

Use ISO-8859-1 to decode String into bytes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60781] Access Log Valve does not escape the same as mod_log_config

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60781

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
Using Felix's patch as a starting point, I've put together this PR:
https://github.com/apache/tomcat/pull/384

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org