Strange advisory

B.R. reallfqq-nginx at
Sun May 11 04:25:53 UTC 2014

I read the StackOverflow thread and it seems there are 2 teams ping-ponging
the problem:
- One says that it is a terminal problem and that control and escape
sequences should not be executed
- The other says that those features are userful and say that log files are
supposed to be text-only, thus readable safely in a terminal (no control
character should be there)

The advisory stands from the second point of view, which I tend to agree
with. If logs cannot be trusted, which are supposed to be filled wikth
text, then everything around monitoring (reading, parsing, copying) becomes
a nightmare.

What is the benefit of having those unescaped control characters in a log
file? Escaping them allows you to warn about their presence safely... and
that is directly exploitable by anything, once again safely.
*B. R.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list