From e5123950bf65f1e4067937351f5a120fa10b5c88 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Andr=C3=A9=20Malo?= <nd@apache.org>
Date: Sun, 6 Apr 2003 21:34:03 +0000
Subject: [PATCH] document log escaping
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Reviewed by: Astrid Ke�ler, Erik Abele


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@99283 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/mod/mod_log_config.html.en | 19 ++++++++++++++-----
 docs/manual/mod/mod_log_config.xml     | 19 ++++++++++++++-----
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/docs/manual/mod/mod_log_config.html.en b/docs/manual/mod/mod_log_config.html.en
index fb33e89753..7c542da77e 100644
--- a/docs/manual/mod/mod_log_config.html.en
+++ b/docs/manual/mod/mod_log_config.html.en
@@ -178,11 +178,20 @@
     "%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
     which did <em>not</em> return some sort of normal status.</p>
 
-    <p>Note that there is no escaping performed on the strings from
-    <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
-    is mainly to comply with the requirements of the Common Log Format.
-    This implies that clients can insert control characters into the log,
-    so care should be taken when dealing with raw log files.</p>
+    <p>Note that in versions previous to 2.0.46 no escaping has been performed
+    on the strings from <code>%...r</code>, <code>%...i</code> and
+    <code>%...o</code>. This was mainly to comply with the requirements of
+    the Common Log Format. This implied that clients could insert control
+    characters into the log, so you had to be quite careful when dealing
+    with raw log files.</p>
+
+    <p>For security reasons starting with 2.0.46 non-printable and
+    other special characters are escaped mostly by using
+    <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for
+    the hexadecimal representation of the raw byte. Exceptions from this
+    rule are <code>"</code> and <code>\</code> which are escaped by prepending
+    a backslash, and all whitespace characters that are written in their
+    C-notation (<code>\n</code>, <code>\t</code> etc).</p>
 
     <p>Some commonly used log format strings are:</p>
 
diff --git a/docs/manual/mod/mod_log_config.xml b/docs/manual/mod/mod_log_config.xml
index f8e4c8175c..3eb3cee991 100644
--- a/docs/manual/mod/mod_log_config.xml
+++ b/docs/manual/mod/mod_log_config.xml
@@ -185,11 +185,20 @@
     "%!200,304,302{Referer}i" logs <code>Referer:</code> on all requests
     which did <em>not</em> return some sort of normal status.</p>
 
-    <p>Note that there is no escaping performed on the strings from
-    <code>%...r</code>, <code>%...i</code> and <code>%...o</code>. This
-    is mainly to comply with the requirements of the Common Log Format.
-    This implies that clients can insert control characters into the log,
-    so care should be taken when dealing with raw log files.</p>
+    <p>Note that in versions previous to 2.0.46 no escaping has been performed
+    on the strings from <code>%...r</code>, <code>%...i</code> and
+    <code>%...o</code>. This was mainly to comply with the requirements of
+    the Common Log Format. This implied that clients could insert control
+    characters into the log, so you had to be quite careful when dealing
+    with raw log files.</p>
+
+    <p>For security reasons starting with 2.0.46 non-printable and
+    other special characters are escaped mostly by using
+    <code>\x<var>hh</var></code> sequences, where <var>hh</var> stands for
+    the hexadecimal representation of the raw byte. Exceptions from this
+    rule are <code>"</code> and <code>\</code> which are escaped by prepending
+    a backslash, and all whitespace characters that are written in their
+    C-notation (<code>\n</code>, <code>\t</code> etc).</p>
 
     <p>Some commonly used log format strings are:</p>
 
-- 
2.40.0