explicitly tell the server that warning messages should be sent
to the client in addition to being recorded in the error log.
Prior to this change, ap_log_rerror() always sent warning
messages to the client. In one case, a faulty CGI script caused
the server to send a warning message to the client that contained
the full path to the CGI script. This could be considered a
minor security exposure.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@94744
13f79535-47bb-0310-9956-
ffa450edef68
Changes with Apache 2.0.36
+ *) [Security] Added the APLOG_TOCLIENT flag to ap_log_rerror() to
+ explicitly tell the server that warning messages should be sent
+ to the client in addition to being recorded in the error log.
+ Prior to this change, ap_log_rerror() always sent warning
+ messages to the client. In one case, a faulty CGI script caused
+ the server to send a warning message to the client that contained
+ the full path to the CGI script. This could be considered a
+ minor security exposure. [Bill Stoddard]
*) mod_autoindex output when SuppressRules was specified would
omit the first carriage return so the first item in the list
#define APLOG_NOERRNO (APLOG_LEVELMASK + 1)
+/* Use APLOG_TOCLIENT to cause ap_log_rerror() to send the message
+ * to the client in addition to recording it to the error log.
+ */
+#define APLOG_TOCLIENT (APLOG_LEVELMASK + 2)
+
/* normal but significant condition on startup, usually printed to stderr */
#define APLOG_STARTUP ((APLOG_LEVELMASK + 1) * 4)
log_error_core(file, line, level, status, r->server, r, NULL, fmt, args);
/*
- * IF the error level is 'warning' or more severe,
+ * IF APLOG_TOCLIENT is set,
+ * AND the error level is 'warning' or more severe,
* AND there isn't already error text associated with this request,
* THEN make the message text available to ErrorDocument and
- * other error processors. This can be disabled by stuffing
- * something, even an empty string, into the "error-notes" cell
- * before calling this routine.
+ * other error processors.
*/
va_end(args);
va_start(args,fmt);
- if (((level & APLOG_LEVELMASK) <= APLOG_WARNING)
+ if ((level & APLOG_TOCLIENT)
+ && ((level & APLOG_LEVELMASK) <= APLOG_WARNING)
&& (apr_table_get(r->notes, "error-notes") == NULL)) {
apr_table_setn(r->notes, "error-notes",
ap_escape_html(r->pool, apr_pvsprintf(r->pool, fmt,
while (1) {
if ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data) == 0) {
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "Premature end of script headers: %s", r->filename);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR|APLOG_TOCLIENT, 0, r,
+ "Premature end of script headers: %s",
+ apr_filename_of_pathname(r->filename));
return HTTP_INTERNAL_SERVER_ERROR;
}
}
}
- ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR, 0, r,
- "%s: %s", malformed, r->filename);
+ ap_log_rerror(APLOG_MARK, APLOG_NOERRNO|APLOG_ERR|APLOG_TOCLIENT, 0, r,
+ "%s: %s", malformed,
+ apr_filename_of_pathname(r->filename));
return HTTP_INTERNAL_SERVER_ERROR;
}