Quotes should be escaped in request logs #12834

ofrias · 2025-02-28T09:38:41Z

Jetty version(s)
Jetty 12

Jetty Environment
ee10

Java version/vendor
N/A

OS type/version
N/A

Description
Currently quotes are not escaped in the Jetty request log. This is applicable for example to User-Agent field. User agents are not usually quoted but they could be, even maliciously to corrupt logs or break log processing scripts.
Also applicable to Referer field, or in fact any field that comes from the end user.

How to reproduce?
Executing this:
curl -A 'My Quoted " Agent' 'http://localhost:8080/'

Logs this in the user agent field in the request log:
"My Quoted " Agent"

The same on Apache logs this:
"My Quoted \" Agent"

The text was updated successfully, but these errors were encountered:

ofrias added the Bug For general bugs on Jetty side label Feb 28, 2025

gregw assigned lachlan-roberts Feb 28, 2025

gregw added this to Jetty 12.0.18 - FROZEN Feb 28, 2025

gregw added the High Priority label Feb 28, 2025

gregw assigned gregw and unassigned lachlan-roberts Feb 28, 2025

gregw mentioned this issue Feb 28, 2025

Quoted Request Log #12834 #12835

Merged

joakime removed this from Jetty 12.0.18 - FROZEN Feb 28, 2025

joakime added this to Jetty 12.0.17 - FROZEN Feb 28, 2025

joakime moved this to 🏗 In progress in Jetty 12.0.17 - FROZEN Feb 28, 2025

gregw closed this as completed in #12835 Mar 3, 2025

gregw closed this as completed in 921a77e Mar 3, 2025

github-project-automation bot moved this from 🏗 In progress to ✅ Done in Jetty 12.0.17 - FROZEN Mar 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Quotes should be escaped in request logs #12834

Quotes should be escaped in request logs #12834

ofrias commented Feb 28, 2025

Quotes should be escaped in request logs #12834

Quotes should be escaped in request logs #12834

Comments

ofrias commented Feb 28, 2025