stackoom
  简体   繁体   中英

Server logging - Apache HTTP server

 原文  2011-04-05 12:24:19       logging

Question

"In addition, log files may contain information supplied directly by the client, without escaping. Therefore , it is possible for malicious clients to insert control-characters in the log files, so care must be taken in dealing with raw logs."

http://httpd.apache.org/docs/1.3/logs.html

What does it mean when it says "without escaping" ?

2 answers

solution1
 0  2011-04-05 12:31:33

转义是指当您使用CRLF(Windows样式的换行符)并将其转换为\\ r \\ n时,这是您需要执行的2个“转义”字符,\\ t是制表符等。它会将它们呈现为他们无法完成的表单,但您知道那是它们所在的位置,可以将其恢复为原始格式

solution2
 0  2011-04-05 12:37:17

Read: http://en.wikipedia.org/wiki/Code_injection#Shell_injection

If I was to escape html, <a> would be escaped to &lt;a&gt;

This way the code wouldn't be rendered and won't execute (and is thus considered safe).

If I was accepting user input, and rendered their input directly back to other users, someone might put malicious code in there. Eg: http://myunsafesite.com?comment=<script>alert('i steal cookies')</script>

While the above example doesn't apply to a log file, it is the same principle on the file system. Successful exploits may allow attackers to create new files and execute code on the web server.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to stop logging from HTTP Server Apache http compoents server wire logs Django Logging not working when deployed on Ubuntu/Apache Server How to send every request to another HTTP server in Mule ESB for logging Node.js server outgoing http request logging format Logging Server Name & Server IP Cronjob linux server logging Logging ODBC, SQL Server java logging/Log Server Server logging with session metadata
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM