Project

General

Profile

Actions

Bug #918

closed

lighttpd does not escape double quotes in request logs

Added by Anonymous over 14 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Category:
mod_accesslog
Target version:
-
ASK QUESTIONS IN Forums:

Description

Here's how lighttpd logs a request where the requested URL contains a double quote:


213.113.99.151 - - [22/Nov/2006:02:35:02 +0100] "GET /test"monkey HTTP/1.1" 404 ...

Here's a similar request to an apache 1.3.33 server:


213.113.99.151 - - [22/Nov/2006:02:36:14 +0100] "GET /test\"monkey HTTP/1.1" 404 ...

As double quotes are used to signal the beginning and ending of some fields, they should definately be escaped whenever they appear inside these fields.

This is one situation that I've come across recently (trying to parse apache log lines; it's really a horrible format, from this perspective). Perhaps there are other fields in which some characters should be escaped. Whether apache handles such cases or not is beyond my knowledge.


Related issues

Is duplicate of Bug #1551: mod_accesslog does not escape quotesFixedicyActions
Actions #1

Updated by Anonymous over 14 years ago

I also face the same problem.

-- Alan Tam

Actions #2

Updated by Anonymous almost 14 years ago

This is a serious problem, because it allows anyone to fool around with log analyzers, which can be used for anything from skewing stats to hiding attack attempts.

-- kl

Actions #3

Updated by gstrauss over 5 years ago

Please close ticket. Fixed in https://redmine.lighttpd.net/issues/1551

Actions #4

Updated by stbuehler over 5 years ago

  • Is duplicate of Bug #1551: mod_accesslog does not escape quotes added
Actions #5

Updated by stbuehler over 5 years ago

  • Description updated (diff)
  • Status changed from New to Duplicate
  • Assignee deleted (jan)
Actions

Also available in: Atom