Loading ...
Sorry, an error occurred while loading the content.

Re: [webalizer] Reporting on Query Strings

Expand Messages
  • Bradford L. Barrett
    ... Bad fix as it allows all sorts of other nasty characters through. Just add ? , & and = to the isurlchar() function and re-compile. -- Bradford L.
    Message 1 of 6 , Sep 17 1:02 PM
    • 0 Attachment
      > > Is it possible to create reports on the URL query strings using webalizer?
      >
      > I changed the webalizer source file therefore, in webalizer.c search
      > for "strip query portion" and modify it like this:
      >
      > /* strip query portion of cgi scripts */
      > /* GK: we need query information */
      > cp1 = log_rec.url;
      > /*
      > while (*cp1 != '\0')
      > if (!isurlchar(*cp1)) { *cp1 = '\0'; break; }
      > else cp1++;
      > */

      Bad fix as it allows all sorts of other nasty characters through.
      Just add '?', '&' and '=' to the isurlchar() function and re-compile.

      --
      Bradford L. Barrett brad@...
      A free electron in a sea of neutrons DoD#1750 KD4NAW

      The only thing Micro$oft has done for society, is make people
      believe that computers are inherently unreliable.
    • Glenn Kusardi [STYLIXmail]
      ... Ah yea, never thought of that, well I just quickfixed it. But anyways, are there any disadvantages?! I mean the stats should show those nasty characters if
      Message 2 of 6 , Sep 17 1:10 PM
      • 0 Attachment
        >> /* strip query portion of cgi scripts */
        >> /* GK: we need query information */
        >> cp1 = log_rec.url;
        >> /*
        >> while (*cp1 != '\0')
        >> if (!isurlchar(*cp1)) { *cp1 = '\0'; break; }
        >> else cp1++;
        >> */
        > Bad fix as it allows all sorts of other nasty characters through.
        > Just add '?', '&' and '=' to the isurlchar() function and re-compile.

        Ah yea, never thought of that, well I just quickfixed it.
        But anyways, are there any disadvantages?! I mean the stats should
        show those nasty characters if a URL was called like that?!

        Glenn
      • Bradford L. Barrett
        ... If you want people to run arbitrary code or inject malicious tags in your stats report, then go right ahead :) Some people freak out over such stuff. For
        Message 3 of 6 , Sep 17 2:54 PM
        • 0 Attachment
          > > Bad fix as it allows all sorts of other nasty characters through.
          > > Just add '?', '&' and '=' to the isurlchar() function and re-compile.
          >
          > Ah yea, never thought of that, well I just quickfixed it.
          > But anyways, are there any disadvantages?! I mean the stats should
          > show those nasty characters if a URL was called like that?!

          If you want people to run arbitrary code or inject malicious tags in your
          stats report, then go right ahead :)

          Some people freak out over such stuff. For some insight, see:

          http://www.cert.org/advisories/CA-2000-02.html

          --
          Bradford L. Barrett brad@...
          A free electron in a sea of neutrons DoD#1750 KD4NAW

          How do you give Microsoft the benefit of the doubt when you
          know that if you were to throw it in a room with truth, you'd
          risk a matter/anti-matter explosion? -- Nicholas Petreley IDG
        • Stephen Moretti
          So the answer is no without hacking about with the source? ... From: Glenn Kusardi [STYLIXmail] To: Bradford L. Barrett
          Message 4 of 6 , Sep 19 9:19 AM
          • 0 Attachment
            So the answer is no without hacking about with the source?

            ----- Original Message -----
            From: "Glenn Kusardi [STYLIXmail]" <gkmail@...>
            To: "Bradford L. Barrett" <webalizer@yahoogroups.com>
            Sent: Tuesday, September 17, 2002 9:10 PM
            Subject: Re: [webalizer] Reporting on Query Strings


            > >> /* strip query portion of cgi scripts */
            > >> /* GK: we need query information */
            > >> cp1 = log_rec.url;
            > >> /*
            > >> while (*cp1 != '\0')
            > >> if (!isurlchar(*cp1)) { *cp1 = '\0'; break; }
            > >> else cp1++;
            > >> */
            > > Bad fix as it allows all sorts of other nasty characters through.
            > > Just add '?', '&' and '=' to the isurlchar() function and re-compile.
            >
            > Ah yea, never thought of that, well I just quickfixed it.
            > But anyways, are there any disadvantages?! I mean the stats should
            > show those nasty characters if a URL was called like that?!
            >
            > Glenn
            >
            >
            >
            >
            > To unsubscribe from this group, send an email to:
            > webalizer-unsubscribe@egroups.com
            > Webalizer homepage: http://www.webalizer.org
            > Webalizer for NT: http://www.medasys-lille.com/webalizer/
            >
            >
            >
            >
            > Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
            >
            >
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.