log file syntax broken due to interpretation of certain encoded chars in urls
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| squidguard (Ubuntu) |
Confirmed
|
Undecided
|
Joachim Wiedorn | ||
Bug Description
Squidguard is interpreting encoded chars in urls. So if you have something like "%2F" in your url this becomes "/" in your log file. Consequently "%0A" becomes a "new line". This is however not the only dangerous sequence. In example a "%09" becomes a "tab".
This is problematic, since it causes consecuting tools like log-file analyzers to fail, due to incorrect syntax. For example the sarg package isn't producing any output, as long as there is even one malformed log line.
As a workaround the issue can be resolved by removing most of the content of the HTUnEscape function in HTParse.c (see appended patch). This stops squidguard entirely from interpreting encoded chars. However a more desireable solution might be to make a list of "threatening encoded chars" and filter only those.
Thanks for your efforts
B. Brandt
| Brandt B (benedikt-benbra) wrote | #1 |
| Ubuntu Foundations Team Bug Bot (crichton) wrote | #2 |
| tags: | added: patch |
| Changed in squidguard (Ubuntu): | |
| assignee: | nobody → Joachim Wiedorn (ad-debian) |
| status: | New → Confirmed |
| Brandt B (benedikt-benbra) wrote | #3 |
The attachment "HTParse.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.
[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]