Wrong HTTP response code in logback-access logs

[baranchikovaleks]

Jetty version - 9.4.46.v20220331

Java version - openjdk version "11.0.11" 2021-04-20

OS - Ubuntu 18.04

Hello!

We spotted in our production access logs some malicious requests that resulted in 200 response code. Further investigation showed that actual HTTP response code is 400, but for some reason 200 OK apprears in access logs.

I created a small project to reproduce, see https://github.com/baranchikovaleks/jettyAccessLog

The request I send is

curl -i http://localhost:8180/cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh -d 'echo;id'
HTTP/1.1 400 Bad Request
Content-Type: text/html;charset=iso-8859-1
Content-Length: 54
Connection: close
Server: Jetty(9.4.46.v20220331)

<h1>Bad Message 400</h1><pre>reason: Bad Request</pre>

As I can see, using CURL I got 400 Bad request, while access logs says

127.0.0.1 - - [09/Jun/2022:11:12:24 +0300] "POST /cgi-bin/.%2e/.%2e/.%2e/.%2e/bin/sh null" 200 0 "-" "-"

[joakime]

import ch.qos.logback.access.jetty.RequestLogImpl;

You are using logback-access which has known unfixed bugs.

• Logback-access RequestLog not working #7617
• Fixing behavior of logback-access in the modern era qos-ch/logback#532

Switch to using Jetty's CustomRequestLog with a Slf4jRequestLogWriter and you'll have a tweakable request log being written to the logback (core) framework.