Ticket #918 (new defect)

Opened 2 years ago

Last modified 6 months ago

lighttpd does not escape double quotes in request logs

Reported by: anonymous Assigned to: jan
Priority: normal Milestone:
Component: mod_accesslog Version: 1.4.11
Severity: normal Keywords: request log escape double quote
Cc: pkchan Blocking:
Need Feedback: 1

Description

Here's how lighttpd logs a request where the requested URL contains a double quote: 

213.113.99.151 - - [22/Nov/2006:02:35:02 +0100] "GET /test"monkey HTTP/1.1" 404 ...

Here's a similar request to an apache 1.3.33 server: 

213.113.99.151 - - [22/Nov/2006:02:36:14 +0100] "GET /test\"monkey HTTP/1.1" 404 ...

As double quotes are used to signal the beginning and ending of some fields, they should definately be escaped whenever they appear inside these fields.

This is one situation that I've come across recently (trying to parse apache log lines; it's really a horrible format, from this perspective). Perhaps there are other fields in which some characters should be escaped. Whether apache handles such cases or not is beyond my knowledge.

Attachments

Change History

02/18/2007 05:29:14 PM changed by Alan Tam

I also face the same problem.

06/20/2007 10:04:07 AM changed by kl

This is a serious problem, because it allows anyone to fool around with log analyzers, which can be used for anything from skewing stats to hiding attack attempts.

01/11/2008 07:43:04 AM changed by pkchan

  • cc set to pkchan.
  • blocking changed.
  • pending set to 1.

Add/Change #918 (lighttpd does not escape double quotes in request logs)




Change Properties