log file syntax broken due to interpretation of certain encoded chars in urls

Bug #909016 reported by Brandt B on 2011-12-27
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
squidguard (Ubuntu)
Undecided
Joachim Wiedorn

Bug Description

Squidguard is interpreting encoded chars in urls. So if you have something like "%2F" in your url this becomes "/" in your log file. Consequently "%0A" becomes a "new line". This is however not the only dangerous sequence. In example a "%09" becomes a "tab".

This is problematic, since it causes consecuting tools like log-file analyzers to fail, due to incorrect syntax. For example the sarg package isn't producing any output, as long as there is even one malformed log line.

As a workaround the issue can be resolved by removing most of the content of the HTUnEscape function in HTParse.c (see appended patch). This stops squidguard entirely from interpreting encoded chars. However a more desireable solution might be to make a list of "threatening encoded chars" and filter only those.

Thanks for your efforts

B. Brandt

Brandt B (benedikt-benbra) wrote :

The attachment "HTParse.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Changed in squidguard (Ubuntu):
assignee: nobody → Joachim Wiedorn (ad-debian)
status: New → Confirmed
Brandt B (benedikt-benbra) wrote :

Just wanted to add that this bug is still present in version 1.5

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers