Re: [Review] log escaping documentation

6 Apr 2003 13:52:22 -0000

Andr� Malo wrote: 
Next one ...

Since Apache 1.3.25 and starting with 2.0.46 logs are escaped, which needs to be documented. Attached is a patch of mod_log_config.xml. It's intended to go also into the 1.3 docs (but with another version number ...)

Some review is desired. Thanks :)


+1, except one minor nit: see below...

------------------------------------------------------------------------

Index: manual/mod/mod_log_config.xml
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/mod/mod_log_config.xml,v
retrieving revision 1.16
diff -u -r1.16 mod_log_config.xml
--- manual/mod/mod_log_config.xml 13 Mar 2003 23:16:04 -0000 1.16
+++ manual/mod/mod_log_config.xml 4 Apr 2003 21:03:24 -0000
@@ -185,11 +185,19 @@
"%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
which did <em>not</em> return some sort of normal status.</p>
- <p>Note that there is no escaping performed on the strings from
- <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
- is mainly to comply with the requirements of the Common Log Format.
- This implies that clients can insert control characters into the log,
- so care should be taken when dealing with raw log files.</p> 

can we keep the last bit 'so care...'

+    <p>Note that in versions previous to 2.0.46 no escaping has been performed
+    on the strings from <code>%...r</code>, <code>%...i</code> and
+    <code>%...o</code>. This was mainly to comply with the requirements of
+    the Common Log Format. This implied that clients could insert control
+    characters into the log.</p>

perhaps somethine like: '... log, so you had to take care when dealing with raw log files.' or a better solution (but I can't provide one) :-)

+ <p>For security reasons starting with 2.0.46 non-printable and
+ other special characters are escaped mostly by using
+ <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for the
+ the hexadecimal representation of the raw byte. Exceptions from this
+ rule are <code>"</code> and <code>\</code> which are escaped by prepending
+ a backslash, and all whitespace characters that are written in their
+ C-notation (<code>\n</code>, <code>\t</code> etc).</p>
<p>Some commonly used log format strings are:</p> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to