Remove query string from error log. See #447.

2025-08-13 21:36:00 +03:00 · 2008-01-23 18:12:59 +00:00 · 2008-01-23 18:12:59 +00:00 · 9dbc7807d9
commit 9dbc7807d9
parent e0c0d66906
2 changed files with 5 additions and 2 deletions
--- a/5
+++ b/5
@ -1,6 +1,9 @@
-21 Jan 2008 - 2.5.0-rc2
+23 Jan 2008 - 2.5.0-rc2
 -----------------------

+ * No longer log the query portion of the URI in the error log as
+   it may contain sensitive data.
+
 * There are no longer any default transformations performed.

 * Implemented SecRuleUpdateActionById.
--- a/apache2/apache2_util.c
+++ b/apache2/apache2_util.c
@ -276,7 +276,7 @@ void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,

        ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
            "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->connection->remote_ip, str1,
-            hostname, log_escape(msr->mp, r->unparsed_uri), unique_id);
+            hostname, log_escape(msr->mp, r->uri), unique_id);

        /* Add this message to the list. */
        if (msr != NULL) {