You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by André Malo <nd...@perlig.de> on 2003/04/04 23:57:38 UTC

[Review] log escaping documentation

Next one ...

Since Apache 1.3.25 and starting with 2.0.46 logs are escaped, which needs 
to be documented. Attached is a patch of mod_log_config.xml. It's intended 
to go also into the 1.3 docs (but with another version number ...)

Some review is desired. Thanks :)

nd
-- 
If God intended people to be naked, they would be born that way.
  -- Oscar Wilde

Re: [Review] log escaping documentation

Posted by Erik Abele <er...@codefaktor.de>.

André Malo wrote:
> Next one ...
> 
> Since Apache 1.3.25 and starting with 2.0.46 logs are escaped, which needs 
> to be documented. Attached is a patch of mod_log_config.xml. It's intended 
> to go also into the 1.3 docs (but with another version number ...)
> 
> Some review is desired. Thanks :)
> 

+1, except one minor nit: see below...

> ------------------------------------------------------------------------
> 
> Index: manual/mod/mod_log_config.xml
> ===================================================================
> RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_log_config.xml,v
> retrieving revision 1.16
> diff -u -r1.16 mod_log_config.xml
> --- manual/mod/mod_log_config.xml	13 Mar 2003 23:16:04 -0000	1.16
> +++ manual/mod/mod_log_config.xml	4 Apr 2003 21:03:24 -0000
> @@ -185,11 +185,19 @@
>      "%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
>      which did <em>not</em> return some sort of normal status.</p>
>  
> -    <p>Note that there is no escaping performed on the strings from
> -    <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
> -    is mainly to comply with the requirements of the Common Log Format.
> -    This implies that clients can insert control characters into the log,
> -    so care should be taken when dealing with raw log files.</p>

can we keep the last bit 'so care...'

> +    <p>Note that in versions previous to 2.0.46 no escaping has been performed
> +    on the strings from <code>%...r</code>, <code>%...i</code> and
> +    <code>%...o</code>. This was mainly to comply with the requirements of
> +    the Common Log Format. This implied that clients could insert control
> +    characters into the log.</p>

perhaps somethine like: '... log, so you had to take care when dealing 
with raw log files.' or a better solution (but I can't provide one) :-)

> +    <p>For security reasons starting with 2.0.46 non-printable and
> +    other special characters are escaped mostly by using
> +    <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for the
> +    the hexadecimal representation of the raw byte. Exceptions from this
> +    rule are <code>"</code> and <code>\</code> which are escaped by prepending
> +    a backslash, and all whitespace characters that are written in their
> +    C-notation (<code>\n</code>, <code>\t</code> etc).</p>
>  
>      <p>Some commonly used log format strings are:</p>


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org