I still want to see it solved on the Apache side.
I don't think you'll see this solved the way you want, so we're going to need to live with it one way or another.
so we need one centralized workaround (in the mod_perl core) and not in every place it's used as a separate random varying implementation.
Any workarounds suck,but inevitable.
Not necessarily. I think suggesting to httpd-dev to make this escaping a compile time option (defaulting to the current behavior is a good idea).
because you unescape just a few things at the moment. Later you will
want to extend this list.
perhaps. notice I didn't try an unescape \b or some of the others because I don't expect them to show up in the test suite and becuase really it's the newline thing that really makes this hell for us.
That's exactly the problem. You don't expect it, because you are trying to solve the problem for what you see. Others may get other output and they will need to unescape other chars as well.
And this practice is very questionable in terms of circumventing the security this change has been made for.
I don't think so. the security issue was for rogue people trying to access the server remotely via URL query. for software on the box to do this, it hardly needs to resort to such antics - simply adding shell code to TEST.PL is sufficient.
Not only that. There were several reasons for this change. One of them was logisticals, where a malicious user create a URL that gets logged as two requests, second request carefully crafted by the user. It's not a security issue per se, IMHO. The main security issue as I understood it was the issue with some terminal programs which can be triggered into doing bad things while reading the log file.
I'm very unhappy about this change in Apache, but besides me everybody keeps quiet and doesn't complain/looking for solutions in the core of the problem, I won't be surprised that it'll stay that way.
httpd core has chosen their path, giving a valid reason for doing so. complaining won't get anything else accomplished, other than removing karma.
complaining didn't help may be because I was the only voice. Wait till normal users pick this new server up (when it gets released) and then you will hear the screams of pain en masse. Also my complaining could be more helpful if I were to propose some sort of solution, rather just saying 'no, no, no'.
the only thing that bothers me is that they don't have a compile-time option to turn it off.
right, that sounds good to me.
If Apache doesn't remove this change, I'm thinking that we will provide an alternative implementation in mod_perl and have a compile time option which will choose Apache's implementation vs. ours (ours will be just a copy of Apache's core implementation before this change). How does this sound? Of course users should be aware of the potential risks if they choose ours.
yucko.
what's your proposal?
__________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
