logging-log4j-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mitth'raw'nuruodo (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
Date Mon, 23 Nov 2015 05:24:10 GMT

     [ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Mitth'raw'nuruodo updated LOG4J2-1203:
--------------------------------------
    Description: 
Unless specific steps are taken to filter log inputs, there may be a risk of CRLF injection:
https://cwe.mitre.org/data/definitions/93.html

This is not a critical vulnerability, but manually escaping/encoding/sanitising every instance
of logging in a large application is impractical. Most applications have no need to output
un-filtered line breaks, so they would benefit from a global option.

Could the list of pattern converters be extended to include a modifier to say that whitespace
should be normalised (as per Commons Lang {{StringUtils.normaliseSpace}})? Eg {{%_m}}

Alternatively, it would be simple to implement a wrapper that would apply normalisation to
the output of another layout, but it would be more difficult to configure such a wrapper in
XML, and it would affect the entire log output, effectively obliterating all padding modifiers.

  was:
Unless specific steps are taken to filter log inputs, there may be a risk of CRLF injection:
https://cwe.mitre.org/data/definitions/93.html

This is not a critical vulnerability, but manually escaping/encoding/sanitising every instance
of logging in a large application is impractical. Most applications have no need to output
un-filtered line breaks, so they would benefit from a global option.

Could the list of pattern converters be extended to include a modifier to say that whitespace
should be normalised (as per Commons Lang {{StringUtils.normaliseSpace}})? Eg {{%_m}}

Alternatively, it would be simple to implement a wrapper that would apply normalisation to
the output of another layout, but it would be more difficult to configure such a wrapper in
XML.


> Allow filtering of line breaks in layout pattern
> ------------------------------------------------
>
>                 Key: LOG4J2-1203
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1203
>             Project: Log4j 2
>          Issue Type: New Feature
>          Components: Pattern Converters
>    Affects Versions: 2.4.1
>            Reporter: Mitth'raw'nuruodo
>            Priority: Minor
>
> Unless specific steps are taken to filter log inputs, there may be a risk of CRLF injection:
https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually escaping/encoding/sanitising every
instance of logging in a large application is impractical. Most applications have no need
to output un-filtered line breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say that whitespace
should be normalised (as per Commons Lang {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply normalisation
to the output of another layout, but it would be more difficult to configure such a wrapper
in XML, and it would affect the entire log output, effectively obliterating all padding modifiers.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
For additional commands, e-mail: log4j-dev-help@logging.apache.org


Mime
View raw message