document log escaping

Reviewed by: Astrid Ke�ler, Erik Abele

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99283 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/docs/manual/mod/mod_log_config.html.en b/docs/manual/mod/mod_log_config.html.en
index fb33e89753c9f601983f7aaa40703871226e1bff..7c542da77ed1e4f9fca01034f2fd0dc808bc1e15 100644 (file)
--- a/docs/manual/mod/mod_log_config.html.en
+++ b/docs/manual/mod/mod_log_config.html.en
@@ -178,11 +178,20 @@
     "%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
     which did <em>not</em> return some sort of normal status.</p>
 
-    <p>Note that there is no escaping performed on the strings from
-    <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
-    is mainly to comply with the requirements of the Common Log Format.
-    This implies that clients can insert control characters into the log,
-    so care should be taken when dealing with raw log files.</p>
+    <p>Note that in versions previous to 2.0.46 no escaping has been performed
+    on the strings from <code>%...r</code>, <code>%...i</code> and
+    <code>%...o</code>. This was mainly to comply with the requirements of
+    the Common Log Format. This implied that clients could insert control
+    characters into the log, so you had to be quite careful when dealing
+    with raw log files.</p>
+
+    <p>For security reasons starting with 2.0.46 non-printable and
+    other special characters are escaped mostly by using
+    <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for
+    the hexadecimal representation of the raw byte. Exceptions from this
+    rule are <code>"</code> and <code>\</code> which are escaped by prepending
+    a backslash, and all whitespace characters that are written in their
+    C-notation (<code>\n</code>, <code>\t</code> etc).</p>
 
     <p>Some commonly used log format strings are:</p>
 

diff --git a/docs/manual/mod/mod_log_config.xml b/docs/manual/mod/mod_log_config.xml
index f8e4c8175ce000444596128155c14005045481ee..3eb3cee9912454e9207f957fa43e96dc89253446 100644 (file)
--- a/docs/manual/mod/mod_log_config.xml
+++ b/docs/manual/mod/mod_log_config.xml
@@ -185,11 +185,20 @@
     "%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
     which did <em>not</em> return some sort of normal status.</p>
 
-    <p>Note that there is no escaping performed on the strings from
-    <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
-    is mainly to comply with the requirements of the Common Log Format.
-    This implies that clients can insert control characters into the log,
-    so care should be taken when dealing with raw log files.</p>
+    <p>Note that in versions previous to 2.0.46 no escaping has been performed
+    on the strings from <code>%...r</code>, <code>%...i</code> and
+    <code>%...o</code>. This was mainly to comply with the requirements of
+    the Common Log Format. This implied that clients could insert control
+    characters into the log, so you had to be quite careful when dealing
+    with raw log files.</p>
+
+    <p>For security reasons starting with 2.0.46 non-printable and
+    other special characters are escaped mostly by using
+    <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for
+    the hexadecimal representation of the raw byte. Exceptions from this
+    rule are <code>"</code> and <code>\</code> which are escaped by prepending
+    a backslash, and all whitespace characters that are written in their
+    C-notation (<code>\n</code>, <code>\t</code> etc).</p>
 
     <p>Some commonly used log format strings are:</p>