We log some of the stuff we see in the HTTP handling. Most commonly, the path: > 2024-07-21 11:21:23 INFO tlwebaccess[1319038]: [xxxx] 'GET / HTTP/1.1' 200 - For well-behaved clients, this is fine, but malicious clients could use this to spam the logs. E.g.: > 2024-07-21 07:43:48 INFO tlwebaccess[1101252]: [xxxxx] 'POST /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh HTTP/1.1' 400 - We also log more stuff if there are bad requests: > 2024-07-21 11:21:57 ERROR tlwebaccess[1319584]: [xxx] code 400, message Bad request version ('"jsonrpc":"2.0"}') > 2024-07-21 11:21:57 INFO tlwebaccess[1319584]: [xxx] '{"id": 1, "method": "mining.subscribe", "params": [], "jsonrpc":"2.0"}' HTTPStatus.BAD_REQUEST - > 2024-07-21 11:21:58 ERROR tlwebaccess[1319629]: [xxx] code 400, message Bad request version ('gcc/5.4.0"}}') > 2024-07-21 11:21:58 INFO tlwebaccess[1319629]: [xxx] '{"id": 1, "jsonrpc": "2.0", "method": "login", "params": { "login": "48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URnRoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD", "pass": "x", "agent": "XMRig/2.6.0-beta2 (Linux x86_64) libuv/1.8.0 gcc/5.4.0"}}' HTTPStatus.BAD_REQUEST - There seems to be more bugs here, as "HTTPStatus.BAD_REQUEST" should be a status number. Seen on RHEL 9 with ThinLinc 4.17.0. We already make sure to filter out any control characters (like line breaks), but we should probably also limit the length. Perhaps also filter out non-ascii to avoid Unicode attacks, such as RTL markers?
Would be interesting to see how e.g. Apache handles this.
