120114 – Please add a environment variable to disable logging for certain webapps

Bug 120114 - Please add a environment variable to disable logging for certain webapps

Summary: Please add a environment variable to disable logging for certain webapps

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High enhancement
Assignee:	Apache Team - Bugzilla Reports

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-01-23 16:15 UTC by Tom Payne (RETIRED)
Modified:	2006-01-24 14:12 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Payne (RETIRED) gentoo-dev

2006-01-23 16:15:14 UTC

Hi Apache Herd,

I've just added an ebuild for anyterm ( http://anyterm.org/ ), a rather neat AJAX terminal emulator (get a shell on your box from any web browser, means you can use mutt from any internet cafe).

anyterm passes keystrokes to the server using GET requests which are logged by apache. Therefore, anyone who can read the apache log can extract all the keystrokes typed by the remote user, including passwords!

The long term solution is probably to use to careful encryption in the XmlHttpRequests, but in the meantime it's simplest just to disable logging of any requests containing sensitive information.

anyterm sets the apache environment variable DONTLOG on all requests that should not be logged. Then, all the user has to do is change all the relevant CustomLog directives in his apache log files to include ...env=!DONTLOG. However, it would be nice if Gentoo did this by default :-)

Please could you make this change in the default httpd.conf and 41_mod_ssl.default-vhost.conf files installed by the Gentoo ebuilds, i.e. httpd.conf should replace
CustomLog logs/access_log common
with
CustomLog logs/access_log common env=!DONTLOG
and 41_mod_ssl.default-vhost.conf should replace
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
with
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=!DONTLOG

I'm sure that, as other clever AJAX applications get written, other applications will also need to disable logging.

Please mark this bug as WONTFIX if you don't want to do this.

Thanks very much,

Tom

Comment 1 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2006-01-24 13:07:49 UTC

Using DONTLOG is an ugly hack. Shouldn't the module use POST instead of GET?

I would really rather prefer that modules fix the security problems in thier own code/config rather then requiring changes to the global config.

Comment 2 Tom Payne (RETIRED) gentoo-dev

2006-01-24 13:38:39 UTC

Michael,

Your suggestion seems very sensible indeed. I asked the author of anyterm, Phil Endecott. He said:

"POST doesn't work with Opera, due to a bug in that browser's
XmlHttpRequest implementation"

Hmmm. My initial feeling is that this is Opera's problem and that you're right, we should just use POST. Adding kludges to support a bug in a minority browser doesn't seem right. I'll configure anyterm to use POST and add a warning about it not workig with Opera.

Thanks very much for your input. Marking WONTFIX for now.

Tom

Comment 3 Michael Stewart (vericgar) (RETIRED) gentoo-dev

2006-01-24 14:12:37 UTC

To make opera users happy, you might create a local USE flag to enable the original functionality (environment hack) along with instructions on how to modify the config.