Re: log_error_core escaping change broke things

[Stas Bekman]

Andr� Malo wrote:
* Stas Bekman <[EMAIL PROTECTED]> wrote:


Yes, but we use it to log error messages which aren't under our control.
e.g. from user's programs, like cgi scripts. what are we supposed to do?
parse and split a multiline message and invoke the logger n times?


post processing, (which was actually hard to do before and safe now).
I lost you here. what post processing?

What security fault in printing a new line and tab characters? Sorry if
I've missed this discussion. Any pointers?


The same as in access log. For example, an attacker can fake a log entry by
injecting a newline into the URL (%0a) and data that looks like a timestamp
+ message. You wouldn't have gotten it.
\ts are actually questionable. I like the escaping at this point to get a
clear distinction between spaces and tabs. I'm not sure, however, if there
are terminals that don't like them.
References can be found in the CVE-Entry:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020>
That makes sense. I'm not talking about access_log, but error_log. I don't 
think that concern applies to error_log which may contain absolutely anything 
and i fail to see how it would be unsafe. Why not differentiate between 
different logs?

I also fail to see server/http_log.h telling anything about this newly 
introduced restriction. It was never documented as line oriented, which
means that you just changed the public API in the middle of the road, no?


It was never said/acked to be not line oriented. Where are we now?
A line in the {access,error}log consists of a timestamp
and a message. That is expected behaviour, which was broken way too long.
Sorry, Andre, but I think this is an invalid statement. Tomorrow someone will 
decide that logs shouldn't longer than 74 characters, and suggest that the API 
never said/acked to be not 74 lines long? May be it's silly example, but I 
hope you get the idea.

We may, however, decide to add an #ifdef SECURITY_HOLE_LOG_INJECTION or the
like to re-add the broken behaviour of not escaping \n.
:(

Actually it's not only about \n and \t, it's about other chars as well. Now I 
get error messages like this:

[Thu Dec 18 23:33:58 2003] [error] [client 127.0.0.1] Fh::new: Variable 
"@SAVED_SYMBOLS" is not available\teval 'package Fh; sub new {\n 
my($pack,$name,$file,$delete) = @_;\n    _setup_symbols(@SAVED_SYMBOLS) if 
@SAVED_SYMBOLS;\n    require Fcntl unless defined &Fcntl::O_RDWR;\n    (my 
$safename = $name) =~ s/([\\':%])/ sprintf \\'%%%02X\\', ord $1 /eg;\n    my 
$fv = ++$FH . $safename;\n    my $ref = \\\\*{"Fh::$fv"};\n    $file =~ 
m!^([a-zA-Z0-9_ \\\\\\'\\\\":/.\\\\$\\\\\\\\-]+)$! || return;\n    my $safe = 
$1;\n 
sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) || 
return;\n    unlink($safe) if $delete;\n    CORE::delete $Fh::{$fv};\n 
return bless $ref,$pack;\n}\n\n;' called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 776\n\tCGI::_compile 
called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
740\n\tCGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3961',0) 
called at (eval 80) line 
59\n\tCGI::read_multipart('CGI=HASH(0x8d42248)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
489\n\tCGI::init('CGI=HASH(0x8d42248)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325\n\tCGI::new('CGI') 
called at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tTestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421a0)') called 
at (eval 95) line 3\n\teval {...} called at (eval 95) line 3\n at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tCGI::_compile called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm 
line 
740\n\tCGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3961',0) 
called at (eval 80) line 
59\n\tCGI::read_multipart('CGI=HASH(0x8d42248)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 
489\n\tCGI::init('CGI=HASH(0x8d42248)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325\n\tCGI::new('CGI') 
called at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 
31\n\tTestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421a0)') called 
at -e line 0\n\teval {...} called at -e line 0\n

which is a totally ruined version of:

[Fri Dec 19 00:19:12 2003] [error] [client 127.0.0.1] Fh::new: Variable 
"@SAVED_SYMBOLS" is not available       eval 'package Fh; sub new {
    my($pack,$name,$file,$delete) = @_;
    _setup_symbols(@SAVED_SYMBOLS) if @SAVED_SYMBOLS;
    require Fcntl unless defined &Fcntl::O_RDWR;
    (my $safename = $name) =~ s/([\':%])/ sprintf \'%%%02X\', ord $1 /eg;
    my $fv = ++$FH . $safename;
    my $ref = \\*{"Fh::$fv"};
    $file =~ m!^([a-zA-Z0-9_ \\\'\\":/.\\$\\\\-]+)$! || return;
    my $safe = $1;
    sysopen($ref,$safe,Fcntl::O_RDWR()|Fcntl::O_CREAT()|Fcntl::O_EXCL(),0600) 
|| return;
    unlink($safe) if $delete;
    CORE::delete $Fh::{$fv};
    return bless $ref,$pack;
}

;' called at /home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 776
        CGI::_compile called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 740

CGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3845',0) 
called at (eval 80) line 59
        CGI::read_multipart('CGI=HASH(0x8d42268)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 489
        CGI::init('CGI=HASH(0x8d42268)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325
        CGI::new('CGI') called at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
        TestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421c0)') 
called at (eval 95) line 3
        eval {...} called at (eval 95) line 3
 at /home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
        CGI::_compile called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 740

CGI::AUTOLOAD('Fh','b','/home/stas/apache.org/mp2-cvs2/t/logs/CGItemp3845',0) 
called at (eval 80) line 59
        CGI::read_multipart('CGI=HASH(0x8d42268)',742617000027,130) called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 489
        CGI::init('CGI=HASH(0x8d42268)') called at 
/home/stas/perl/blead-ithread/lib/5.9.0/CGI.pm line 325
        CGI::new('CGI') called at 
/home/stas/apache.org/mp2-cvs2/t/response/TestModules/cgi.pm line 31
        TestModules::cgi::handler('Apache::RequestRec=SCALAR(0x8d421c0)') 
called at -e line 0
        eval {...} called at -e line 0



__________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com