Closed kassner closed 6 years ago
Is there a solution for this yet? I just got an exploit attempt that broke the parser as well:
169.229.3.91 - - [17/Jul/2016:12:52:13 +0000] "\x0CH\xCA|\x06@S\xAAe\x9Bz\xE7\xF3\xB75\x83f\xAC\xAE\xFA\xD1\xCC\x8Ea\x95\xB1$z\x09\x88\x9D\xE5\x90\x94\xF9\x18\x14^\xAE\x8Dp\x83G\xA8\x0Eh!7b\xA9\xB6y\xCAz\x98\xFD" 400 173 "-" "-" "-"
Dirty, but"%{Request}i"
and $entry->HeaderRequest
worked for me.
Any thoughts on this? Here are some of the exploit attempts we have seen: "\x9e","\x9e","GET /wp-includes/js/jquery/)},c...","\x03" Should %r be modified to capture? Would this be a breaking change for anyone? Or should we do a new %R that is basically everything in request, regardless.
It is necessary to cover bad requests like this:
Although it is an invalid request, it is a valid log entry, and should be parsed correctly.