From 849ccfac040eb956c0c6fa3339d5ef8378aea100 Mon Sep 17 00:00:00 2001 From: Chris Pepper Date: Wed, 9 Apr 2003 04:08:21 +0000 Subject: [PATCH] Clarify some wording. Note this change (as previously written, it implied that 1.3.5 had this vulnerability, which is not true). I'm not sure if "httpd 2.0" is the preferred name. -

Note that in versions previous to 2.0.46 no escaping has been performed +

Note that in httpd 2.0 versions prior to 2.0.46, no escaping was performed on the strings from %...r, %...i and %...o. This was mainly to comply with the requirements of the Common Log Format. This implied that clients could insert control characters into the log, so you had to be quite careful when dealing with raw log files.

-

For security reasons starting with 2.0.46 non-printable and +

For security reasons, starting with 2.0.46, non-printable and other special characters are escaped mostly by using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte. Exceptions from this rule are " and \ which are escaped by prepending - a backslash, and all whitespace characters that are written in their - C-notation (\n, \t etc).

+ a backslash, and all whitespace characters which are written in their + C-style notation (\n, \t etc).

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99302 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_log_config.xml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/docs/manual/mod/mod_log_config.xml b/docs/manual/mod/mod_log_config.xml index 3eb3cee991..d81cb48163 100644 --- a/docs/manual/mod/mod_log_config.xml +++ b/docs/manual/mod/mod_log_config.xml @@ -33,8 +33,8 @@

The format argument to the LogFormat and CustomLog directives is a string. This string is - logged to the log file for each request. It can contain literal - characters copied into the log files and the c-type control + used to log each request to the log file. It can contain literal + characters copied into the log files and the C-style control characters "\n" and "\t" to represent new-lines and tabs. Literal quotes and back-slashes should be escaped with back-slashes.

@@ -185,20 +185,20 @@ "%!200,304,302{Referer}i" logs Referer: on all requests which did not return some sort of normal status.

-

Note that in versions previous to 2.0.46 no escaping has been performed +

Note that in httpd 2.0 versions prior to 2.0.46, no escaping was performed on the strings from %...r, %...i and %...o. This was mainly to comply with the requirements of the Common Log Format. This implied that clients could insert control characters into the log, so you had to be quite careful when dealing with raw log files.

-

For security reasons starting with 2.0.46 non-printable and +

For security reasons, starting with 2.0.46, non-printable and other special characters are escaped mostly by using \xhh sequences, where hh stands for the hexadecimal representation of the raw byte. Exceptions from this rule are " and \ which are escaped by prepending - a backslash, and all whitespace characters that are written in their - C-notation (\n, \t etc).

+ a backslash, and all whitespace characters which are written in their + C-style notation (\n, \t etc).

Some commonly used log format strings are:

@@ -272,7 +272,7 @@ characteristics using environment variables.

The first argument, which specifies the location to which - the logs will be written, can take on one of the following two + the logs will be written, can take one of the following two types of values:

@@ -286,7 +286,7 @@ input. Security: -

If a program is used, then it will be run under the user who +

If a program is used, then it will be run as the user who started httpd. This will be root if the server was started by root; be sure that the program is secure.

 @@ -316,8 +316,8 @@ CustomLog logs/access_log "%h %l %u %t \"%r\" %>s %b" -

The third argument is optional and allows the decision on - whether or not to log a particular request to be based on the +

The third argument is optional and controls whether or + not to log a particular request based on the presence or absence of a particular variable in the server environment. If the specified environment variable is set for the request (or is not set, in the case @@ -357,7 +357,7 @@ this directive sets the log format which will be used by logs specified in subsequent TransferLog directives. The single argument can specify an explicit - format as discussed in custom log + format as discussed in the custom log formats section above. Alternatively, it can use a nickname to refer to a log format defined in a previous LogFormat directive as described @@ -375,7 +375,7 @@ it the default. Therefore, it will not affect subsequent TransferLog directives. In addition, LogFormat cannot use one nickname - to define another nickname. Note, that the nickname should not contain + to define another nickname. Note that the nickname should not contain percent signs (%).

Example @@ -398,7 +398,7 @@ to be specified explicitly or for conditional logging of requests. Instead, the log format is determined by the most recently specified LogFormat directive - (which does not define a nickname). Common Log Format is used if no + which does not define a nickname. Common Log Format is used if no other format has been specified.

Example -- 2.50.1