I read the StackOverflow thread and it seems there are 2 teams ping-ponging the problem: - One says that it is a terminal problem and that control and escape sequences should not be executed - The other says that those features are userful and say that log files are supposed to be text-only, thus readable safely in a terminal (no control character should be there)
The advisory stands from the second point of view, which I tend to agree with. If logs cannot be trusted, which are supposed to be filled wikth text, then everything around monitoring (reading, parsing, copying) becomes a nightmare. What is the benefit of having those unescaped control characters in a log file? Escaping them allows you to warn about their presence safely... and that is directly exploitable by anything, once again safely. --- *B. R.*
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
