Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 120114 - Please add a environment variable to disable logging for certain webapps
Summary: Please add a environment variable to disable logging for certain webapps
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Apache Team - Bugzilla Reports
Depends on:
Reported: 2006-01-23 16:15 UTC by Tom Payne (RETIRED)
Modified: 2006-01-24 14:12 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tom Payne (RETIRED) gentoo-dev 2006-01-23 16:15:14 UTC
Hi Apache Herd,

I've just added an ebuild for anyterm ( ), a rather neat AJAX terminal emulator (get a shell on your box from any web browser, means you can use mutt from any internet cafe).

anyterm passes keystrokes to the server using GET requests which are logged by apache. Therefore, anyone who can read the apache log can extract all the keystrokes typed by the remote user, including passwords!

The long term solution is probably to use to careful encryption in the XmlHttpRequests, but in the meantime it's simplest just to disable logging of any requests containing sensitive information.

anyterm sets the apache environment variable DONTLOG on all requests that should not be logged. Then, all the user has to do is change all the relevant CustomLog directives in his apache log files to include ...env=!DONTLOG. However, it would be nice if Gentoo did this by default :-)

Please could you make this change in the default httpd.conf and 41_mod_ssl.default-vhost.conf files installed by the Gentoo ebuilds, i.e. httpd.conf should replace
CustomLog logs/access_log common
CustomLog logs/access_log common env=!DONTLOG
and 41_mod_ssl.default-vhost.conf should replace
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" env=!DONTLOG

I'm sure that, as other clever AJAX applications get written, other applications will also need to disable logging.

Please mark this bug as WONTFIX if you don't want to do this.

Thanks very much,

Comment 1 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-24 13:07:49 UTC
Using DONTLOG is an ugly hack. Shouldn't the module use POST instead of GET?

I would really rather prefer that modules fix the security problems in thier own code/config rather then requiring changes to the global config.
Comment 2 Tom Payne (RETIRED) gentoo-dev 2006-01-24 13:38:39 UTC

Your suggestion seems very sensible indeed. I asked the author of anyterm, Phil Endecott. He said:

"POST doesn't work with Opera, due to a bug in that browser's
XmlHttpRequest implementation"

Hmmm. My initial feeling is that this is Opera's problem and that you're right, we should just use POST. Adding kludges to support a bug in a minority browser doesn't seem right. I'll configure anyterm to use POST and add a warning about it not workig with Opera.

Thanks very much for your input. Marking WONTFIX for now.

Comment 3 Michael Stewart (vericgar) (RETIRED) gentoo-dev 2006-01-24 14:12:37 UTC
To make opera users happy, you might create a local USE flag to enable the original functionality (environment hack) along with instructions on how to modify the config.