Stas, we have closed a well known and remotely exploitable security leak. This goes straight over comfort. If you don't like it, provide an alternative solution. Just nagging or trying to talk the problem away doesn't help.
is creating a compile-time flag to disable the new-default behavior a simple solution that might make everyone happy?
That works for me. What do others think?
Though since it really affects any logging it probably should be called UNESCAPED_LOGGING or similar. And probably a similar patch applied to 1.3.
+#ifdef UNESCAPED_ERROR_LOG
+ len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
+
+ if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
+ len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
+ ", referer: %s", referer);
+ }
+#else
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
