Bug 51543 - Space in username not properly escaped in log files (%u)
Summary: Space in username not properly escaped in log files (%u)
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: Core (show other bugs)
Version: 2.2.3
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2011-07-22 19:43 UTC by David A. Wheeler
Modified: 2014-02-05 16:17 UTC (History)
2 users (show)



Attachments
Hi, i wrote a little patch for this old bug. It replaces the space in usernames with an : in the "log_remote_user" function. (681 bytes, patch)
2014-02-05 15:47 UTC, Seb
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description David A. Wheeler 2011-07-22 19:43:16 UTC
Spaces, if any, in a username are not being properly escaped when they are written to logs (as part of %u). The normal logs use space as a delimiter between field, so have an unescaped space screws up all log processing for anything involving usernames (%u) with spaces.

This is ESPECIALLY a problem for user SSL certificates, because organizations (O=) typically include a space character, e.g., "U.S. Government".  Even the Apache docs show an organization "O=" with a space in: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.  Thus, if usernames are actually user SSL certificates, then anyone with an organization having a space in it (including U.S. Government") will have a corrupted log entry.

Note that the DEFAULT log format includes %u.

This is NOT the same as bug 28117, because this involves whitespace not backslashes.

Here's an example of the format I see in the log files:
1.2.3.4 "-" /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=CONTRACTOR/CN=someNAME.someNUMBER [22/Jul/2011:14:56:50 -0400] "GET /somestuff HTTP/1.1" 200 4319
Notice that "U.S. Government" has an embedded space.  But a leading "/" doesn't tell anyone where it begins or ends.

I don't know which escape mechanism is the right one for usernames.  I can imagine %20 working.  Alternatively, surround it with double-quotes if there's an embedded space, and escape double-quote as a pair of double-quotes inside that.  The key is to pick one.

I have confirmed that this happens in httpd version 2.2.3 of CentOS version 5.6.  I don't know for sure if it happens in later versions, though I suspect it does.  However, I'm seeing this in a production system, and I don't have the luxury of upgrading to latest version of Apache.  I originally found this problem when trying to parse a log using the Apachelog Python library at http://code.google.com/p/apachelog/downloads/list but I don't think the library is at fault here.

Thanks!
Comment 1 Seb 2014-02-05 15:47:22 UTC
Created attachment 31285 [details]
Hi,  i wrote a little patch for this old bug. It replaces the space in usernames with an :  in the "log_remote_user" function.