You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/07/22 21:43:16 UTC

DO NOT REPLY [Bug 51543] New: Space in username not properly escaped in log files (%u)

https://issues.apache.org/bugzilla/show_bug.cgi?id=51543

             Bug #: 51543
           Summary: Space in username not properly escaped in log files
                    (%u)
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Core
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dwheeler@dwheeler.com
    Classification: Unclassified


Spaces, if any, in a username are not being properly escaped when they are
written to logs (as part of %u). The normal logs use space as a delimiter
between field, so have an unescaped space screws up all log processing for
anything involving usernames (%u) with spaces.

This is ESPECIALLY a problem for user SSL certificates, because organizations
(O=) typically include a space character, e.g., "U.S. Government".  Even the
Apache docs show an organization "O=" with a space in:
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.  Thus, if usernames are
actually user SSL certificates, then anyone with an organization having a space
in it (including U.S. Government") will have a corrupted log entry.

Note that the DEFAULT log format includes %u.

This is NOT the same as bug 28117, because this involves whitespace not
backslashes.

Here's an example of the format I see in the log files:
1.2.3.4 "-" /C=US/O=U.S.
Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=someNAME.someNUMBER
[22/Jul/2011:14:56:50 -0400] "GET /somestuff HTTP/1.1" 200 4319
Notice that "U.S. Government" has an embedded space.  But a leading "/" doesn't
tell anyone where it begins or ends.

I don't know which escape mechanism is the right one for usernames.  I can
imagine %20 working.  Alternatively, surround it with double-quotes if there's
an embedded space, and escape double-quote as a pair of double-quotes inside
that.  The key is to pick one.

I have confirmed that this happens in httpd version 2.2.3 of CentOS version
5.6.  I don't know for sure if it happens in later versions, though I suspect
it does.  However, I'm seeing this in a production system, and I don't have the
luxury of upgrading to latest version of Apache.  I originally found this
problem when trying to parse a log using the Apachelog Python library at
http://code.google.com/p/apachelog/downloads/list but I don't think the library
is at fault here.

Thanks!

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51543] Space in username not properly escaped in log files (%u)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51543

Mike Rumph <mi...@oracle.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 51543] Space in username not properly escaped in log files (%u)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51543

Seb <s2...@beuth-hochschule.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |s29159@beuth-hochschule.de

--- Comment #1 from Seb <s2...@beuth-hochschule.de> ---
Created attachment 31285
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31285&action=edit
Hi,  i wrote a little patch for this old bug. It replaces the space in
usernames with an :  in the "log_remote_user" function.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51543] Space in username not properly escaped in log files (%u)

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51543

Ken Dreyer <kt...@ktdreyer.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ktdreyer@ktdreyer.com

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org