I read the StackOverflow thread and it seems there are 2 teams ping-ponging
the problem:
- One says that it is a terminal problem and that control and escape
sequences should not be executed
- The other says that those features are userful and say that log files are
supposed to be text-only, thus readable safely in a terminal (no control
character should be there)
The advisory stands from the second point of view, which I tend to agree
with. If logs cannot be trusted, which are supposed to be filled wikth
text, then everything around monitoring (reading, parsing, copying) becomes
a nightmare.
What is the benefit of having those unescaped control characters in a log
file? Escaping them allows you to warn about their presence safely... and
that is directly exploitable by anything, once again safely.
---
*B. R.*
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx