Re: log_error_core escaping change broke things

Wed, 07 Jan 2004 13:32:22 -0800 

> Stas, we have closed a well known and remotely exploitable security leak. This
> goes straight over comfort. If you don't like it, provide an alternative
> solution. Just nagging or trying to talk the problem away doesn't help.

is creating a compile-time flag to disable the new-default behavior a simple
solution that might make everyone happy?

--Geoff

Index: server/main.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/server/main.c,v
retrieving revision 1.152
diff -u -r1.152 main.c
--- server/main.c       5 Jan 2004 10:37:25 -0000       1.152
+++ server/main.c       7 Jan 2004 20:29:43 -0000
@@ -277,6 +277,10 @@
 #ifdef SERVER_CONFIG_FILE
     printf(" -D SERVER_CONFIG_FILE=\"" SERVER_CONFIG_FILE "\"\n");
 #endif
+
+#ifdef UNESCAPED_ERROR_LOG
+    printf(" -D UNESCAPED_ERROR_LOG\n");
+#endif
 }
 
 static void destroy_and_exit_process(process_rec *process,
Index: server/log.c
===================================================================
RCS file: /home/cvspublic/httpd-2.0/server/log.c,v
retrieving revision 1.138
diff -u -r1.138 log.c
--- server/log.c        1 Jan 2004 13:26:23 -0000       1.138
+++ server/log.c        7 Jan 2004 20:29:44 -0000
@@ -402,7 +402,7 @@
                            const request_rec *r, apr_pool_t *pool,
                            const char *fmt, va_list args)
 {
-    char errstr[MAX_STRING_LEN], scratch[MAX_STRING_LEN];
+    char errstr[MAX_STRING_LEN];
     apr_size_t len, errstrlen;
     apr_file_t *logf = NULL;
     const char *referer;
@@ -539,16 +539,27 @@
     }
 
     errstrlen = len;
+#ifdef UNESCAPED_ERROR_LOG
+    len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
+
+    if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
+        len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
+                            ", referer: %s", referer);
+    }
+#else
     if (apr_vsnprintf(scratch, MAX_STRING_LEN - len, fmt, args)) {
+        char scratch[MAX_STRING_LEN];
         len += ap_escape_errorlog_item(errstr + len, scratch,
                                        MAX_STRING_LEN - len);
     }
 
     if (   r && (referer = apr_table_get(r->headers_in, "Referer"))
         && ap_escape_errorlog_item(scratch, referer, MAX_STRING_LEN - len)) {
+        char scratch[MAX_STRING_LEN];
         len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
                             ", referer: %s", scratch);
     }
+#endif
 
     /* NULL if we are logging to syslog */
     if (logf) {

Reply via email to