Skip to content

Fix logging format string#86

Open
Devstellar wants to merge 1 commit intoowasp-modsecurity:masterfrom
Devstellar:fix-log-formatstringattack
Open

Fix logging format string#86
Devstellar wants to merge 1 commit intoowasp-modsecurity:masterfrom
Devstellar:fix-log-formatstringattack

Conversation

@Devstellar
Copy link

Fix issue #85 using a fixed format string in the calls to log

@fzipi
Copy link

fzipi commented Feb 16, 2026

This should be merged.

@airween
Copy link
Member

airween commented Feb 16, 2026

This should be merged.

I'm not sure about that. I remember once I ran into a strange problem with Apache 2.4. I made a fix but haven't sent any PR yet.

Here is the commit:

airween@e4cbbac

I suggest to add this, instead of replace the variable.

@fzipi
Copy link

fzipi commented Feb 16, 2026

The correct fix is always use "%s", msg. Reading it again, looks like it is removing the r->status, but adding it back should make it work.

Yours does a costly parsing that doesn't make sense in this scenario.

Another extra check that could be done is adding limits to the size you are printing out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants