From 9dbc7807d9362d194787c97f3215ce235b6bcc67 Mon Sep 17 00:00:00 2001
From: brectanus <brectanus@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Wed, 23 Jan 2008 18:12:59 +0000
Subject: [PATCH] Remove query string from error log.  See #447.

---
 CHANGES                | 5 ++++-
 apache2/apache2_util.c | 2 +-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8c8e9a78..7ce816db 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,9 @@
-21 Jan 2008 - 2.5.0-rc2
+23 Jan 2008 - 2.5.0-rc2
 -----------------------
 
+ * No longer log the query portion of the URI in the error log as
+   it may contain sensitive data.
+
  * There are no longer any default transformations performed.
 
  * Implemented SecRuleUpdateActionById.
diff --git a/apache2/apache2_util.c b/apache2/apache2_util.c
index aff4f2d6..166ce38c 100644
--- a/apache2/apache2_util.c
+++ b/apache2/apache2_util.c
@@ -276,7 +276,7 @@ void internal_log(request_rec *r, directory_config *dcfg, modsec_rec *msr,
 
         ap_log_error(APLOG_MARK, APLOG_ERR | APLOG_NOERRNO, 0, r->server,
             "[client %s] ModSecurity: %s%s [uri \"%s\"]%s", r->connection->remote_ip, str1,
-            hostname, log_escape(msr->mp, r->unparsed_uri), unique_id);
+            hostname, log_escape(msr->mp, r->uri), unique_id);
 
         /* Add this message to the list. */
         if (msr != NULL) {