On Thu, Jul 19, 2012 at 12:56 PM, Chris Darroch <chr...@pearsoncmg.com> wrote: > Jeff Trawick wrote: > >>> Modified: httpd/httpd/trunk/server/util_script.c >>> URL: >>> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util_script.c?rev=1362538&r1=1362537&r2=1362538&view=diff >>> >>> ============================================================================== >>> --- httpd/httpd/trunk/server/util_script.c (original) >>> +++ httpd/httpd/trunk/server/util_script.c Tue Jul 17 15:26:27 2012 >>> @@ -592,11 +592,11 @@ AP_DECLARE(int) ap_scan_script_header_er >>> if (!ap_is_HTTP_VALID_RESPONSE(cgi_status)) >>> ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, >>> 0, r, >>> "Invalid status line from script '%s': >>> %s", >> >> >> what about limiting the number of characters logged and potentially >> sent to the client via error-notes? >> >> ("%.120s" anyone?) > > > Sounds good to me ... are there any debug/trace log which truncate > output in a similar way that could serve as "best practices" examples? > I fished around a bit for %.[0-9]+s but didn't see anything obvious ...
dunno Actually, I wonder why this code allows the unexpected script output to be part of error-notes anyway. In fact all the uses of APLOG_TOCLIENT look suspect. Why should the client be told anything about the application that handles the request? The feature presumably helps CGI developers, but they should be able to check the error log. > > Chris. > > -- > GPG Key ID: 088335A9 > GPG Key Fingerprint: 86CD 3297 7493 75BC F820 6715 F54F E648 0883 35A9 > -- Born in Roswell... married an alien... http://emptyhammock.com/