On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote:
> https://blogs.apache.org/infra/entry/apache_org_incident_report_for
>
> Infra got bit by mod_log_forensic logs including Authorization headers
> and being world-readable, so in an effort to save someone else from
> repeating this mistake how about adding it to the "Security
> considerations" section of the documentation:
>
> [[[
> Index: docs/manual/mod/mod_log_forensic.xml
> ===================================================================
> --- docs/manual/mod/mod_log_forensic.xml (revision 1342688)
> +++ docs/manual/mod/mod_log_forensic.xml (working copy)
> @@ -93,6 +93,10 @@
> document for details on why your security could be compromised
> if the directory where logfiles are stored is writable by
> anyone other than the user that starts the server.</p>
> + <p>The logfiles may contain sensitive data such as the contents of
> + <code>Authorization:</code> headers (which can contain passwords), so
> + they should not be readable by anyone except the user that starts the
> + server.</p>
> </section>
>
> <directivesynopsis>
> ]]]
>
> Perhaps it would be a useful feature to allow excluding those headers
> from being logged, too.
IMO they shouldn't be logged by default (if at all).
Proxy-Authorization also needs to be handled. (Anything else? My
search query foo is particularly bad today.)
Attached is a potential code fix... I guess a directive could be
added to allow them to be logged, but when would that be needed? (A.
When the request crashes due to the exact value of one of these
headers and the module author needs it for debugging.)
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Index: modules/loggers/mod_log_forensic.c
===================================================================
--- modules/loggers/mod_log_forensic.c (revision 1347068)
+++ modules/loggers/mod_log_forensic.c (working copy)
@@ -156,10 +156,21 @@
return n;
}
+static const char *sanitize(const char *key, const char *value)
+{
+ if (!strcasecmp(key, "Authorization") || !strcasecmp(key,
"Proxy-Authorization")) {
+ value = "X";
+ }
+
+ return value;
+}
+
static int count_headers(void *h_, const char *key, const char *value)
{
hlog *h = h_;
+ value = sanitize(key, value);
+
h->count += count_string(key)+count_string(value)+2;
return 1;
@@ -169,6 +180,8 @@
{
hlog *h = h_;
+ value = sanitize(key, value);
+
/* note that we don't have to check h->pos here, coz its been done
for us by log_escape */
*h->pos++ = '|';
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org
For additional commands, e-mail: docs-h...@httpd.apache.org
