#1748: varnishncsa: logged spaces in userid
---------------------+-------------------------
Reporter: mandark | Type: defect
Status: new | Priority: normal
Milestone: | Component: varnishncsa
Version: 3.0.5 | Severity: normal
Keywords: |
---------------------+-------------------------
It may be normal, yet I think it's not:
If a user agent uses spaces as a basic auth loggin, like :
curl --user '- - - - -:-' 0
Varnish logs:
127.0.0.1 - - - - - - [01/Jun/2015:17:19:02 +0200] "GET
http://127.0.0.1/ HTTP/1.1" 404 1675 "-" "curl/7.26.0"
What's wrong ? Nothing at first, yet I think the NCSA format is a great
one because the number of fields is constant as no field can contain space
but the user agent, and, the user agent is last so there is no ambiguity.
Due to this fact, some parsers don't use regular expressions to parse NCSA
log format, but a simple and faster "split" or "cut" like method.
The behavior of logging spaces in userid break those parsers (And probably
parsers using regex but not expecting a space here. I didn't not searched
if they exist.)
I also think this behavior may be bad in the sense that breaking those
parser may help hidding an attack. But with a limited impact, as basic
auth will split on ":" we can't inject a false date (As a date contains
":"), followed by a false verb, a false path, etc, pushing the true log
behind an injected user-agent.
Yet I have absolutely no idea on how to remove or encode cleanly those
spaces without breaking every existing parsers/loggers.
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1748>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs
---------------------+-------------------------
Reporter: mandark | Type: defect
Status: new | Priority: normal
Milestone: | Component: varnishncsa
Version: 3.0.5 | Severity: normal
Keywords: |
---------------------+-------------------------
It may be normal, yet I think it's not:
If a user agent uses spaces as a basic auth loggin, like :
curl --user '- - - - -:-' 0
Varnish logs:
127.0.0.1 - - - - - - [01/Jun/2015:17:19:02 +0200] "GET
http://127.0.0.1/ HTTP/1.1" 404 1675 "-" "curl/7.26.0"
What's wrong ? Nothing at first, yet I think the NCSA format is a great
one because the number of fields is constant as no field can contain space
but the user agent, and, the user agent is last so there is no ambiguity.
Due to this fact, some parsers don't use regular expressions to parse NCSA
log format, but a simple and faster "split" or "cut" like method.
The behavior of logging spaces in userid break those parsers (And probably
parsers using regex but not expecting a space here. I didn't not searched
if they exist.)
I also think this behavior may be bad in the sense that breaking those
parser may help hidding an attack. But with a limited impact, as basic
auth will split on ":" we can't inject a false date (As a date contains
":"), followed by a false verb, a false path, etc, pushing the true log
behind an injected user-agent.
Yet I have absolutely no idea on how to remove or encode cleanly those
spaces without breaking every existing parsers/loggers.
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1748>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs