At 03:41 PM 4/17/2002, Bill Stoddard wrote: >I am not at all sure I like ap_rlog_error() adding an error-notes (to >r->notes) under the >covers. For those that are not familer with this, if you call >ap_rlog_error() for a >failed request, the first call will copy your log message to the output >stream sent back >to the client. You can end up with stuff on the response that perhaps you >didn't intend >(like the full path to a CGI script that failed to run, or perhaps even >unescaped user >data). > >I am thinking that the second arg of ap_rlog_error() should take a new >option, something >like APR_LOG_RESPONSE or APR_LOG_ERROR-NOTES, that tells ap_rlog_error() >to add the >message to error-notes. If you leave off this option, then r->notes will >NOT be modified >(and your error message will not be echoed back to the client).
What if, instead or in addition to your idea, we make the ClientDebugErrors on|off directive default to 'off', meaning NO notes to the client. If they want to turn them on for debugging, they can work in development without consulting with the error log. But I'd emit a warning every time the server is started in the error log that the option is -enabled-. And, as a per-dir sort of thing, there could be a /test/ location or directory that provides this feedback, without enabling it globally for a server. Bill
