André Malo wrote:
* [EMAIL PROTECTED] wrote:
stoddard 2004/08/23 18:49:59
Modified: modules/generators mod_cgi.c Log: Escape bytes returned by the errfn because it might be from an untrusted source
Could you ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED it for those who don't want it?
nd
André,
Sorry, I have no time to spend on it. From a quick look at the code, it seems that it is possible for the errfn to log header fields which is why I choose to escape the string. Why wouldn't you want to escape the string just to be safe? The errfn is only called on a (hopefully) infrequently encountered error path, so performance shouldn't be an issue. What other reasons would there be for not escaping the string? To prevent an 'obfuscated' error message?
Bill
