poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 58040] Log Forging
Date Tue, 16 Jun 2015 23:55:06 GMT

--- Comment #3 from Andreas Beeker <kiwiwings@apache.org> ---
Actually I'm not sure how to fix this ...:
first thought was, there might be a config option in the underlying logger, but
we can't  rely on it as we have different logger interfaces which some (or
all?) do not provide such an option.

Next thought was, to simply change the POILogger class and sanitize the CR/LFs,
limit the length, but then we also might need XSS filtering. I don't like the
idea of forcing html encoding in the logging class, just because the log might
be viewed in a browser.

So maybe we just provide another logging facade with the above features, but
then should we enable it by default, by system property (which nobody realize
to set it) or some heuristic ("we are running in an appserver, so we should
activate xss filtering, because appserver logs are often viewed online ...")?


You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org

View raw message