Attachment 17068 Details for Bug 50450

[patch] proposed patch for 2.0.48 to fix unescaped errorlog problem (backport from 2.0.49)

httpd-2.0.48-escaped-errorlogs.dif (text/plain), 4.44 KB, created by Peter Poeml on 2004-03-24 01:43:53 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Peter Poeml

Created: 2004-03-24 01:43:53 UTC

Size: 4.44 KB

patch

obsolete

>diff -uNr httpd-2.0.48.orig/server/log.c httpd-2.0.49/server/log.c
>--- httpd-2.0.48.orig/server/log.c	2003-06-23 15:03:59.000000000 +0200
>+++ httpd-2.0.49/server/log.c	2004-03-09 00:12:44.000000000 +0100
>@@ -402,6 +360,9 @@
>                            const char *fmt, va_list args)
> {
>     char errstr[MAX_STRING_LEN];
>+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
>+    char scratch[MAX_STRING_LEN];
>+#endif
>     apr_size_t len, errstrlen;
>     apr_file_t *logf = NULL;
>     const char *referer;
>@@ -536,12 +497,30 @@
>             errstr[len] = '\0';
>         }
>     }
>+
>     errstrlen = len;
>+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
>+    if (apr_vsnprintf(scratch, MAX_STRING_LEN - len, fmt, args)) {
>+        len += ap_escape_errorlog_item(errstr + len, scratch,
>+                                       MAX_STRING_LEN - len);
>+    }
>+#else
>     len += apr_vsnprintf(errstr + len, MAX_STRING_LEN - len, fmt, args);
>+#endif
> 
>-    if (r && (referer = apr_table_get(r->headers_in, "Referer"))) {
>+    if (   r && (referer = apr_table_get(r->headers_in, "Referer"))
>+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
>+        && ap_escape_errorlog_item(scratch, referer, MAX_STRING_LEN - len)
>+#endif
>+        ) {
>         len += apr_snprintf(errstr + len, MAX_STRING_LEN - len,
>-                            ", referer: %s", referer);
>+                            ", referer: %s",
>+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
>+                            scratch
>+#else
>+                            referer
>+#endif
>+                            );
>     }
> 
>     /* NULL if we are logging to syslog */
>diff -uNr httpd-2.0.48.orig/include/httpd.h httpd-2.0.49/include/httpd.h
>--- httpd-2.0.48.orig/include/httpd.h	2003-10-24 18:19:31.000000000 +0200
>+++ httpd-2.0.49/include/httpd.h	2004-02-09 21:54:34.000000000 +0100
>@@ -1370,12 +1343,22 @@
> /**
>  * Escape a string for logging
>  * @param p The pool to allocate from
>- * @param s The string to escape
>+ * @param str The string to escape
>  * @return The escaped string
>  */
> AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char *str);
> 
> /**
>+ * Escape a string for logging into the error log (without a pool)
>+ * @param dest The buffer to write to
>+ * @param source The string to escape
>+ * @param buflen The buffer size for the escaped string (including \0)
>+ * @return The len of the escaped string (always < maxlen)
>+ */
>+AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
>+                                               apr_size_t buflen);
>+
>+/**
>  * Construct a full hostname
>  * @param p The pool to allocate from
>  * @param hostname The hostname of the server
>diff -uNr httpd-2.0.48.orig/server/util.c httpd-2.0.49/server/util.c
>--- httpd-2.0.48.orig/server/util.c	2003-06-17 19:39:10.000000000 +0200
>+++ httpd-2.0.49/server/util.c	2004-02-09 21:59:46.000000000 +0100
>@@ -1837,6 +1794,70 @@
>     return ret;
> }
> 
>+AP_DECLARE(apr_size_t) ap_escape_errorlog_item(char *dest, const char *source,
>+                                               apr_size_t buflen)
>+{
>+    unsigned char *d, *ep;
>+    const unsigned char *s;
>+
>+    if (!source || !buflen) { /* be safe */
>+        return 0;
>+    }
>+
>+    d = (unsigned char *)dest;
>+    s = (const unsigned char *)source;
>+    ep = d + buflen - 1;
>+
>+    for (; d < ep && *s; ++s) {
>+
>+        if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {
>+            *d++ = '\\';
>+            if (d >= ep) {
>+                --d;
>+                break;
>+            }
>+
>+            switch(*s) {
>+            case '\b':
>+                *d++ = 'b';
>+                break;
>+            case '\n':
>+                *d++ = 'n';
>+                break;
>+            case '\r':
>+                *d++ = 'r';
>+                break;
>+            case '\t':
>+                *d++ = 't';
>+                break;
>+            case '\v':
>+                *d++ = 'v';
>+                break;
>+            case '\\':
>+                *d++ = *s;
>+                break;
>+            case '"': /* no need for this in error log */
>+                d[-1] = *s;
>+                break;
>+            default:
>+                if (d >= ep - 2) {
>+                    ep = --d; /* break the for loop as well */
>+                    break;
>+                }
>+                c2x(*s, d);
>+                *d = 'x';
>+                d += 3;
>+            }
>+        }
>+        else {
>+            *d++ = *s;
>+        }
>+    }
>+    *d = '\0';
>+
>+    return (d - (unsigned char *)dest);
>+}
>+
> AP_DECLARE(int) ap_is_directory(apr_pool_t *p, const char *path)
> {
>     apr_finfo_t finfo;

Actions: View | Diff

Attachments on bug 50450: 16519 | 16520 | 17068 | 17486 | 17488