You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Background
I use Apache ErrorLogFormat to output error messages in JSON format. Unfortunately when the message itself is JSON, the double quotes in the payload are not escaped and I end up with invalid JSON.
which has the comment:
case '"': /* no need for this in error log */
I also tried using a piped logger to handle the raw message; this is even worse: Apache strips out the \ from the \n in the error message (the JSON payload in this case) first!
Is there anything that can be set to ensure that the message being sent to the Apache error logger is fully escaped ?
NB: this appears to be specific to the %M field in the ErrorLogFormat only
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Background
I use Apache ErrorLogFormat to output error messages in JSON format. Unfortunately when the message itself is JSON, the double quotes in the payload are not escaped and I end up with invalid JSON.
httpd.conf
ErrorLogFormat '{ "timestamp": "%{u}t", "module": "%-m", "message": "%M" }'
When Apache is run in debug mode, mod_auth_openidc writes the following into the ErrorLog:
oidc_http_request: response={ JSON Payload }
And so with ErrorLogFormat set as above, AND with mod_auth_openidc debugging enabled...
error_log snippet
{ "timestamp": "Fri Sep 27 11:20:42.838013 2024", "module": "auth_openidc", "message": "oidc_http_request: response={\n "issuer" : "https://OP/ID/as",\n "authorization_endpoint" : "https://OP/ID/as/authorize",\n "pushed_authorization_request_endpoint" : "https://OP/ID/as/par",\n}'
i.e. invalid JSON
Annoyingly the Apache error logger does NOT escape any double quotes, it even has an explicit comment that it won't do this!
oidc_debug > ap_log_error > log_error_core > do_errorlog_format > apr_vsnprintf > ap_escape_errorlog_item
which has the comment:
case '"': /* no need for this in error log */
I also tried using a piped logger to handle the raw message; this is even worse: Apache strips out the \ from the \n in the error message (the JSON payload in this case) first!
Is there anything that can be set to ensure that the message being sent to the Apache error logger is fully escaped ?
NB: this appears to be specific to the %M field in the ErrorLogFormat only
Similar discussion at: GrahamDumpleton/mod_wsgi#350
Beta Was this translation helpful? Give feedback.
All reactions