httpd: escape double-quotes in server logs

Tue, 15 Dec 2020 14:33:31 -0800 

Hi all

When using the 'combined' or 'forwarded' log style, the request,
referrer and user-agent are all wrapped in double-quotes (") like this:

ifconfig.se 127.0.0.1 - - [15/Dec/2020:22:38:54 +0100] "GET / HTTP/1.1" 200 
6320 "Referrer" "User-Agent" 10.0.10.5 -

Since all three are provided by and can be modified the client, they can
easily add extra double-quotes. This can be used to make the logs look
weird or somewhat forged.  For example, if the requst is sent with the
user-agent 'User-Agent" 1.2.3.4 "', the logs will look like:

ifconfig.se 127.0.0.1 - - [15/Dec/2020:22:38:54 +0100] "GET / HTTP/1.1" 200 
6320 "Referrer" "User-Agent" 1.2.3.4 "" 10.0.10.5 -

By using stravis VIS_DQ flag, they will be encoded with a backslash:

ifconfig.se 127.0.0.1 - - [15/Dec/2020:22:38:54 +0100] "GET / HTTP/1.1" 200 
6320 "Referrer" "User-Agent\" 1.2.3.4 \"" 10.0.10.5 -


My inital concern was that someone could forge the 'forwarded' IP.
I tried to work around that by changing the order and have it added
before the user-agent, but after reading the lists[1][2] I learned that
it would break the 'combined' log parsing for Webalizer and GoAccess.
I have no idea how my patch would affect those, but we already encode
backslash, newline and tabs the same way so I guess they handle it well.
A more interesting question is, how do they handle double-quotes in the
referrer or user-agent.

Any thoughts?


Yours,
Jesper Wallin

[1] https://marc.info/?t=154201313600048&r=1&w=2
[2] https://marc.info/?t=155170488300003&r=1&w=2


Index: httpd.h
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/httpd.h,v
retrieving revision 1.153
diff -u -p -r1.153 httpd.h
--- httpd.h     29 Oct 2020 12:30:52 -0000      1.153
+++ httpd.h     15 Dec 2020 21:42:58 -0000
@@ -57,7 +57,7 @@
 #define HTTPD_REALM_MAX                255
 #define HTTPD_LOCATION_MAX     255
 #define HTTPD_DEFAULT_TYPE     { "bin", "application", "octet-stream", NULL }
-#define HTTPD_LOGVIS           VIS_NL|VIS_TAB|VIS_CSTYLE
+#define HTTPD_LOGVIS           VIS_DQ|VIS_NL|VIS_TAB|VIS_CSTYLE
 #define HTTPD_TLS_CERT         "/etc/ssl/server.crt"
 #define HTTPD_TLS_KEY          "/etc/ssl/private/server.key"
 #define HTTPD_TLS_CONFIG_MAX   511

Reply via email to