[Varnish] #1748: varnishncsa: logged spaces in userid

Varnish varnish-bugs at varnish-cache.org
Mon Jun 1 17:36:13 CEST 2015

#1748: varnishncsa: logged spaces in userid
 Reporter:  mandark  |       Type:  defect
   Status:  new      |   Priority:  normal
Milestone:           |  Component:  varnishncsa
  Version:  3.0.5    |   Severity:  normal
 Keywords:           |
 It may be normal, yet I think it's not:

 If a user agent uses spaces as a basic auth loggin, like :

     curl --user '- - - - -:-' 0

 Varnish logs: - - - - - - [01/Jun/2015:17:19:02 +0200] "GET HTTP/1.1" 404 1675 "-" "curl/7.26.0"

 What's wrong ? Nothing at first, yet I think the NCSA format is a great
 one because the number of fields is constant as no field can contain space
 but the user agent, and, the user agent is last so there is no ambiguity.

 Due to this fact, some parsers don't use regular expressions to parse NCSA
 log format, but a simple and faster "split" or "cut" like method.

 The behavior of logging spaces in userid break those parsers (And probably
 parsers using regex but not expecting a space here. I didn't not searched
 if they exist.)

 I also think this behavior may be bad in the sense that breaking those
 parser may help hidding an attack. But with a limited impact, as basic
 auth will split on ":" we can't inject a false date (As a date contains
 ":"), followed by a false verb, a false path, etc, pushing the true log
 behind an injected user-agent.

 Yet I have absolutely no idea on how to remove or encode cleanly those
 spaces without breaking every existing parsers/loggers.

Ticket URL: <https://www.varnish-cache.org/trac/ticket/1748>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator

More information about the varnish-bugs mailing list