On Sun, Feb 13, 2022 at 10:45 AM Moshe Katz <mo...@ymkatz.net> wrote: > > I can't speak for the nginx team, but as noted by "Severity: none", I assume > they agree with many other vendors that this is not actually a vulnerability > in nginx itself. > > For example, here is what the authors of Varnish said in response to this CVE: > > > This is not a security problem in Varnish or any other piece of software > > which writes a logfile. > > > > The real problem is the mistaken belief that you can cat(1) a random > > logfile to your terminal safely. > > > >This is not a new issue. I first remember the issue with xterm(1)'s > >inadvisably implemented escape-sequences in a root-context, brought up > >heatedly, in 1988, possibly late 1987, at Copenhagens University Computer > >Science dept. (Diku.dk). Since then, nothing much have changed. > > > > The wisdom of terminal-response-escapes in general have been questioned at > > regular intervals, but still none of the major terminal emulation programs > > have seen fit to discard these sequences, probably in a misguided attempt > > at compatibility with no longer used 1970'es technology. > > > > I admit that listing "found a security hole in all HTTP-related programs > > that write logfiles" will look more impressive on a resume, but I think it > > is misguided and a sign of trophy-hunting having overtaken common sense. > > > > Instead of blaming any and all programs which writes logfiles, it would be > > much more productive, from a security point of view, to get the terminal > > emulation programs to stop doing stupid things, and thus fix this and other > > security problems once and for all. >
this is all fair and good (and I don't disagree that terminal emulators need to get better) - but I'm just wondering, does anybody here do error logging at info or debug? If you send the logs off somewhere to a logging system, how do you parse these logs? -jf _______________________________________________ nginx mailing list -- nginx@nginx.org To unsubscribe send an email to nginx-le...@nginx.org
