[Ben Laurie]
*) SECURITY: CAN-2003-0020 (cve.mitre.org)
- Escape arbitrary data before writing into the errorlog.
- [André Malo]
+ Escape arbitrary data before writing into the errorlog. Unescaped
+ errorlogs are still possible using the compile time switch
+ "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, André Malo]
*) '%X' is now accepted as an alias for '%c' in the
LogFormat directive. This allows you to configure logging
const server_rec *s, const request_rec *r,
const char *fmt, va_list args)
{
- char errstr[MAX_STRING_LEN], scratch[MAX_STRING_LEN];
+ char errstr[MAX_STRING_LEN];
+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
+ char scratch[MAX_STRING_LEN];
+#endif
size_t len;
int save_errno = errno;
FILE *logf;
}
#endif
+#ifndef AP_UNSAFE_ERROR_LOG_UNESCAPED
if (ap_vsnprintf(scratch, sizeof(scratch) - len, fmt, args)) {
len += ap_escape_errorlog_item(errstr + len, scratch,
sizeof(errstr) - len);
}
+#else
+ len += ap_vsnprintf(errstr + len, sizeof(errstr) - len, fmt, args);
+#endif
/* NULL if we are logging to syslog */
if (logf) {
projects / thirdparty / apache / httpd.git / commitdiff
