Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 120114

Summary: Please add a environment variable to disable logging for certain webapps
Product: Gentoo Linux Reporter: Tom Payne (RETIRED) <twp>
Component: New packagesAssignee: Apache Team - Bugzilla Reports <apache-bugs>
Status: RESOLVED WONTFIX    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Tom Payne (RETIRED) gentoo-dev 2006-01-23 16:15:14 UTC
Hi Apache Herd,

I've just added an ebuild for anyterm ( http://anyterm.org/ ), a rather neat AJAX terminal emulator (get a shell on your box from any web browser, means you can use mutt from any internet cafe).

anyterm passes keystrokes to the server using GET requests which are logged by apache. Therefore, anyone who can read the apache log can extract all the keystrokes typed by the remote user, including passwords!

The long term solution is probably to use to careful encryption in the XmlHttpRequests, but in the meantime it's simplest just to disable logging of any requests containing sensitive information.

anyterm sets the apache environment variable DONTLOG on all requests that should not be logged. Then, all the user has to do is change all the relevant CustomLog directives in his apache log files to include ...env=!DONTLOG. However, it would be nice if Gentoo did this by default :-)

Please could you make this change in the default httpd.conf and 41_mod_ssl.default-vhost.conf files installed by the Gentoo ebuilds, i.e. httpd.conf should replace
CustomLog logs/access_log common
with
CustomLog logs/access_log common env=!DONTLOG
and 41_mod_ssl.default-vhost.conf should replace
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
with
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=!DONTLOG

I'm sure that, as other clever AJAX applications get written, other applications will also need to disable logging.

Please mark this bug as WONTFIX if you don't want to do this.

Thanks very much,

Tom
Comment 1 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-24 13:07:49 UTC
Using DONTLOG is an ugly hack. Shouldn't the module use POST instead of GET?

I would really rather prefer that modules fix the security problems in thier own code/config rather then requiring changes to the global config.
Comment 2 Tom Payne (RETIRED) gentoo-dev 2006-01-24 13:38:39 UTC
Michael,

Your suggestion seems very sensible indeed. I asked the author of anyterm, Phil Endecott. He said:

"POST doesn't work with Opera, due to a bug in that browser's
XmlHttpRequest implementation"

Hmmm. My initial feeling is that this is Opera's problem and that you're right, we should just use POST. Adding kludges to support a bug in a minority browser doesn't seem right. I'll configure anyterm to use POST and add a warning about it not workig with Opera.

Thanks very much for your input. Marking WONTFIX for now.

Tom
Comment 3 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-24 14:12:37 UTC
To make opera users happy, you might create a local USE flag to enable the original functionality (environment hack) along with instructions on how to modify the config.