Thanks very much Gustaf. That looks great .
On 14 July 2015 at 17:59, Gustaf Neumann <neum...@wu.ac.at> wrote:
> Dear all,
>
> This is again a very reasonable request. Since most access-log analyzer
> are developed
> against apache rules, it seems that sticking to apache rules is sensible.
> ... although
> missing a few lines of hacking attempts is usually not an issue.
>
> i've added a small addition to the tip version that performs apache-style
> substitutions
> in the query fraction of the access log. The updated version performs
> apache-style
> escaping for all double-quoted fields depending potentially on external
> input,
> such as the user agent field or the referrer field.
>
> all the best
> -g
>
> Am 14.07.15 um 09:05 schrieb David Osborne:
>
> Hi,
>
> We're coming up against a problem where we attempt to parse data in a
> naviserver access log to analyse server use.
>
> We were relying on the combined log format being parsable but are
> running into difficulties when non-percent encoded characters are making
> their way into the logged request.
>
> For example, the URL for testing for a XSS exploit:
>
> /tiki-list_file_gallery.php/>"><script>alert(document.domain)</script>
>
> This will be logged to the access log as:
>
> 9.9.9.9 - - [14/Jul/2015:14:55:34 +0100] "GET
> /tiki-list_file_gallery.php/>"><script>alert(document.domain)</script>
> HTTP/1.0" 404 737 "" "curl/7.26.0" "1436882134.386210 0.038129 0.000129
> 0.000016 0.000152"
>
> Because of the unescaped quote we can't reliably parse this entry.
>
> I wasn't sure what the server should do in cases like this. The quote
> should technically be percent encoded but clients like curl allow the raw
> character to be sent.
>
> Apache escapes quotes by prefixing a backslash before logging:
> http://httpd.apache.org/docs/2.2/mod/mod_log_config.html
> "Exceptions from this rule are " and \, which are escaped by prepending a
> backslash, and all whitespace characters, which are written in their
> C-style notation (\n, \t, etc)"
>
> Nginx replaces quotes in the log with \x22:
>
> http://trac.nginx.org/nginx/changeset?old_path=%2Fnginx&old=66dc85397a9006d5ecdd74c56d9eac1fd479b5d6&new_path=%2Fnginx&new=66dc85397a9006d5ecdd74c56d9eac1fd479b5d6
>
> Do we have any means of doing something similar in Naviserver?
>
> --
> David
>
>
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> naviserver-devel mailing list
> naviserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/naviserver-devel
>
>
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
naviserver-devel mailing list
naviserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/naviserver-devel
