You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by st...@apache.org on 2002/04/22 05:25:40 UTC
cvs commit: httpd-2.0/server log.c util_script.c
stoddard 02/04/21 20:25:40
Modified: . CHANGES
include http_log.h
server log.c util_script.c
Log:
Added the APLOG_TOCLIENT flag to ap_log_rerror() to
explicitly tell the server that warning messages should be sent
to the client in addition to being recorded in the error log.
Prior to this change, ap_log_rerror() always sent warning
messages to the client. In one case, a faulty CGI script caused
the server to send a warning message to the client that contained
the full path to the CGI script. This could be considered a
minor security exposure.
Revision Changes Path
1.721 +8 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.720
retrieving revision 1.721
diff -u -r1.720 -r1.721
--- CHANGES 21 Apr 2002 18:35:25 -0000 1.720
+++ CHANGES 22 Apr 2002 03:25:39 -0000 1.721
@@ -1,4 +1,12 @@
Changes with Apache 2.0.36
+ *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
+ explicitly tell the server that warning messages should be sent
+ to the client in addition to being recorded in the error log.
+ Prior to this change, ap_log_rerror() always sent warning
+ messages to the client. In one case, a faulty CGI script caused
+ the server to send a warning message to the client that contained
+ the full path to the CGI script. This could be considered a
+ minor security exposure. [Bill Stoddard]
*) mod_autoindex output when SuppressRules was specified would
omit the first carriage return so the first item in the list
1.35 +5 -0 httpd-2.0/include/http_log.h
Index: http_log.h
===================================================================
RCS file: /home/cvs/httpd-2.0/include/http_log.h,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- http_log.h 17 Apr 2002 16:36:27 -0000 1.34
+++ http_log.h 22 Apr 2002 03:25:40 -0000 1.35
@@ -104,6 +104,11 @@
#define APLOG_NOERRNO (APLOG_LEVELMASK + 1)
+/* Use APLOG_TOCLIENT to cause ap_log_rerror() to send the message
+ * to the client in addition to recording it to the error log.
+ */
+#define APLOG_TOCLIENT (APLOG_LEVELMASK + 2)
+
/* normal but significant condition on startup, usually printed to stderr */
#define APLOG_STARTUP ((APLOG_LEVELMASK + 1) * 4)
1.118 +5 -5 httpd-2.0/server/log.c
Index: log.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/log.c,v
retrieving revision 1.117
retrieving revision 1.118
diff -u -r1.117 -r1.118
--- log.c 18 Apr 2002 08:27:28 -0000 1.117
+++ log.c 22 Apr 2002 03:25:40 -0000 1.118
@@ -556,16 +556,16 @@
log_error_core(file, line, level, status, r->server, r, NULL, fmt, args);
/*
- * IF the error level is 'warning' or more severe,
+ * IF APLOG_TOCLIENT is set,
+ * AND the error level is 'warning' or more severe,
* AND there isn't already error text associated with this request,
* THEN make the message text available to ErrorDocument and
- * other error processors. This can be disabled by stuffing
- * something, even an empty string, into the "error-notes" cell
- * before calling this routine.
+ * other error processors.
*/
va_end(args);
va_start(args,fmt);
- if (((level & APLOG_LEVELMASK) <= APLOG_WARNING)
+ if ((level & APLOG_TOCLIENT)
+ && ((level & APLOG_LEVELMASK) <= APLOG_WARNING)
&& (apr_table_get(r->notes, "error-notes") == NULL)) {
apr_table_setn(r->notes, "error-notes",
ap_escape_html(r->pool, apr_pvsprintf(r->pool, fmt,
1.77 +6 -4 httpd-2.0/server/util_script.c
Index: util_script.c
===================================================================
RCS file: /home/cvs/httpd-2.0/server/util_script.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- util_script.c 31 Mar 2002 07:48:56 -0000 1.76
+++ util_script.c 22 Apr 2002 03:25:40 -0000 1.77
@@ -455,8 +455,9 @@
while (1) {
if ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "Premature end of script headers: %s", r->filename);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR|APLOG_TOCLIENT, 0, r,
+ "Premature end of script headers: %s",
+ apr_filename_of_pathname(r->filename));
return HTTP_INTERNAL_SERVER_ERROR;
}
@@ -547,8 +548,9 @@
}
}
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "%s: %s", malformed, r->filename);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR|APLOG_TOCLIENT, 0, r,
+ "%s: %s", malformed,
+ apr_filename_of_pathname(r->filename));
return HTTP_INTERNAL_SERVER_ERROR;
}