kassner / log-parser

PHP Web Server Log Parser Library
Apache License 2.0
339 stars 64 forks source link

400 Bad Request #4

Closed kassner closed 6 years ago

kassner commented 11 years ago

It is necessary to cover bad requests like this:

// Format: %h %l %u %t \"%r\" %>s %O "%{Referer}i" "%{User-Agent}i"
54.232.125.255 - - [07/Oct/2013:04:14:01 +0000] "" 400 0 "-" "-"

Although it is an invalid request, it is a valid log entry, and should be parsed correctly.

MACscr commented 8 years ago

Is there a solution for this yet? I just got an exploit attempt that broke the parser as well:

169.229.3.91 - - [17/Jul/2016:12:52:13 +0000] "\x0CH\xCA|\x06@S\xAAe\x9Bz\xE7\xF3\xB75\x83f\xAC\xAE\xFA\xD1\xCC\x8Ea\x95\xB1$z\x09\x88\x9D\xE5\x90\x94\xF9\x18\x14^\xAE\x8Dp\x83G\xA8\x0Eh!7b\xA9\xB6y\xCAz\x98\xFD" 400 173 "-" "-" "-"

red-led commented 7 years ago

Dirty, but"%{Request}i" and $entry->HeaderRequest worked for me.

Moring commented 7 years ago

Any thoughts on this? Here are some of the exploit attempts we have seen: "\x9e","\x9e","GET /wp-includes/js/jquery/)},c...","\x03" Should %r be modified to capture? Would this be a breaking change for anyone? Or should we do a new %R that is basically everything in request, regardless.