Bug #918
closedlighttpd does not escape double quotes in request logs
Description
Here's how lighttpd logs a request where the requested URL contains a double quote:
213.113.99.151 - - [22/Nov/2006:02:35:02 +0100] "GET /test"monkey HTTP/1.1" 404 ...
Here's a similar request to an apache 1.3.33 server:
213.113.99.151 - - [22/Nov/2006:02:36:14 +0100] "GET /test\"monkey HTTP/1.1" 404 ...
As double quotes are used to signal the beginning and ending of some fields, they should definately be escaped whenever they appear inside these fields.
This is one situation that I've come across recently (trying to parse apache log lines; it's really a horrible format, from this perspective). Perhaps there are other fields in which some characters should be escaped. Whether apache handles such cases or not is beyond my knowledge.
Updated by Anonymous almost 18 years ago
I also face the same problem.
-- Alan Tam
Updated by Anonymous over 17 years ago
This is a serious problem, because it allows anyone to fool around with log analyzers, which can be used for anything from skewing stats to hiding attack attempts.
-- kl
Updated by gstrauss over 8 years ago
Please close ticket. Fixed in https://redmine.lighttpd.net/issues/1551
Updated by stbuehler over 8 years ago
- Is duplicate of Bug #1551: mod_accesslog does not escape quotes added
Updated by stbuehler over 8 years ago
- Description updated (diff)
- Status changed from New to Duplicate
- Assignee deleted (
jan)
Also available in: Atom