You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/22 21:43:16 UTC
DO NOT REPLY [Bug 51543] New: Space in username not properly escaped
in log files (%u)
https://issues.apache.org/bugzilla/show_bug.cgi?id=51543
Bug #: 51543
Summary: Space in username not properly escaped in log files
(%u)
Product: Apache httpd-2
Version: 2.2.3
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Core
AssignedTo: bugs@httpd.apache.org
ReportedBy: dwheeler@dwheeler.com
Classification: Unclassified
Spaces, if any, in a username are not being properly escaped when they are
written to logs (as part of %u). The normal logs use space as a delimiter
between field, so have an unescaped space screws up all log processing for
anything involving usernames (%u) with spaces.
This is ESPECIALLY a problem for user SSL certificates, because organizations
(O=) typically include a space character, e.g., "U.S. Government". Even the
Apache docs show an organization "O=" with a space in:
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html. Thus, if usernames are
actually user SSL certificates, then anyone with an organization having a space
in it (including U.S. Government") will have a corrupted log entry.
Note that the DEFAULT log format includes %u.
This is NOT the same as bug 28117, because this involves whitespace not
backslashes.
Here's an example of the format I see in the log files:
1.2.3.4 "-" /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=someNAME.someNUMBER
[22/Jul/2011:14:56:50 -0400] "GET /somestuff HTTP/1.1" 200 4319
Notice that "U.S. Government" has an embedded space. But a leading "/" doesn't
tell anyone where it begins or ends.
I don't know which escape mechanism is the right one for usernames. I can
imagine %20 working. Alternatively, surround it with double-quotes if there's
an embedded space, and escape double-quote as a pair of double-quotes inside
that. The key is to pick one.
I have confirmed that this happens in httpd version 2.2.3 of CentOS version
5.6. I don't know for sure if it happens in later versions, though I suspect
it does. However, I'm seeing this in a production system, and I don't have the
luxury of upgrading to latest version of Apache. I originally found this
problem when trying to parse a log using the Apachelog Python library at
http://code.google.com/p/apachelog/downloads/list but I don't think the library
is at fault here.
Thanks!
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51543] Space in username not properly escaped in log files (%u)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51543
Mike Rumph <mi...@oracle.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |PatchAvailable
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 51543] Space in username not properly escaped in log files (%u)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51543
Seb <s2...@beuth-hochschule.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |s29159@beuth-hochschule.de
--- Comment #1 from Seb <s2...@beuth-hochschule.de> ---
Created attachment 31285
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31285&action=edit
Hi, i wrote a little patch for this old bug. It replaces the space in
usernames with an : in the "log_remote_user" function.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 51543] Space in username not properly escaped in
log files (%u)
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=51543
Ken Dreyer <kt...@ktdreyer.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ktdreyer@ktdreyer.com
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org