Hi Malithi,
The problem with the given fix is that, even stack traces are sanitized.
IMO, you don't need to sanitize stack traces. Sanitizing log messages (
log.error("message"), exception.getMessage() ) is sufficient to prevent log
forging.
This problem affects to all products. I think we have to fix this ASAP.
Thanks.
On Wed, Nov 18, 2015 at 3:24 PM, Malithi Edirisinghe <[email protected]>
wrote:
> Hi All,
>
> This was added for a security fix [1] and was discussed at security-leads@
> [2]. So the present fix affects to the existing appenders
> (CarbonConsoleAppender, CarbonDailyRollingFileAppender, MemoryAppender).
> The other option that we could have done is to extend the existing
> appenders and introduce a Secured set of appenders such that only those
> will sanitize the logging message. But, with the present fix I'm afraid
> that other than configuring the appender at log4j.properties to some in
> built log4j appender we won't be able to get rid of this sanitization logic
> at logging.
>
> [1] https://support.wso2.com/jira/browse/SECINTDEV-5
> [2] 'Preventing CRLF Injection when logging'
>
> Thanks,
> Malithi.
>
> On Wed, Nov 18, 2015 at 3:05 PM, Viraj Senevirathne <[email protected]>
> wrote:
>
>> Hi Krishantha,
>>
>> We have observed that* Log Mediator in ESB* is affected due to this
>> change. If there are new lines in the message payload it very inconvenient
>> and hard to read the logs. And user cannot see actual payload as it is,
>> because this functionality change the message log.
>>
>> Thanks,
>>
>> On Wed, Nov 18, 2015 at 2:58 PM, Sajith Ariyarathna <[email protected]>
>> wrote:
>>
>>> Hi All,
>>>
>>> We are using carbon.kernel.version 4.4.2 in MDM 2.0.0 SNAPSHOT and we
>>> face the same problem (new lines are replaced with underscores in logs).
>>> Because of this behavior, it is very hard to debug/find problems by reading
>>> error logs. Is there any way to by pass/stop this behavior without patching
>>> the carbon kernel?
>>>
>>> Thanks.
>>>
>>> On Fri, Oct 30, 2015 at 11:57 AM, Viraj Senevirathne <[email protected]>
>>> wrote:
>>>
>>>> Hi Kasun,
>>>>
>>>> It seems that it has happened due to this commit
>>>> https://github.com/wso2/carbon-kernel/commit/e0b6ae7d9f4cdee2f0bf3744b2a3ce02c3b808bf
>>>> . We removed it and patched the kernel then issue was resolved. What can we
>>>> do about this?
>>>>
>>>> Thank You,
>>>>
>>>> On Fri, Oct 30, 2015 at 9:15 AM, Kasun Gajasinghe <[email protected]>
>>>> wrote:
>>>>
>>>>> Can you guys go through recent commits to org.wso2.carbon.logging
>>>>> component and find out if any of those caused this issue?
>>>>>
>>>>> On Oct 29, 2015, at 9:23 PM, Jagath Sisirakumara Ariyarathne <
>>>>> [email protected]> wrote:
>>>>>
>>>>> Hi Carbon Team,
>>>>>
>>>>> Any thought to figure out the issue is much appreciated.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> On Wed, Oct 28, 2015 at 3:42 PM, Viraj Senevirathne <[email protected]>
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> We have upgraded the carbon version in ESB from 4.4.1 to 4.4.2. Then
>>>>>> we have encountered following issue.
>>>>>>
>>>>>> *In carbon.kernel.version 4.4.1 and earlier carbon versions*
>>>>>>
>>>>>> TID: [-1234] [] [2015-10-23 16:43:26,614] INFO
>>>>>> {org.apache.synapse.mediators.builtin.LogMediator} - To:
>>>>>> /services/sendReciveProxy.sendReciveProxyHttpSoap11Endpoint, WSAction:
>>>>>> urn:getQuote, SOAPAction: urn:getQuote, MessageID:
>>>>>> urn:uuid:333b6811-04aa-4c6a-94fb-3edc4d56065d, Direction: request,
>>>>>> Envelope: <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
>>>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:xsd="
>>>>>> http://services.samples/xsd"; xmlns:ser="http://services.samples
>>>>>> "><soapenv:Body>
>>>>>> <ser:getQuote>
>>>>>> <!--Optional:-->
>>>>>> <ser:request>
>>>>>> <!--Optional:-->
>>>>>> <xsd:symbol>IBM</xsd:symbol>
>>>>>> </ser:request>
>>>>>> </ser:getQuote>
>>>>>> </soapenv:Body></soapenv:Envelope>
>>>>>> {org.apache.synapse.mediators.builtin.LogMediator}
>>>>>>
>>>>>> *Same log in carbon.kernel.version 4.4.2 *
>>>>>>
>>>>>> [2015-10-28 15:38:36,027] INFO - LogMediator To:
>>>>>> /services/callOutOnly.callOutOnlyHttpSoap11Endpoint, WSAction:
>>>>>> urn:mediate,
>>>>>> SOAPAction: urn:mediate, MessageID:
>>>>>> urn:uuid:61f4b04c-0906-4228-975e-1b8f1be7450d, Direction: request,
>>>>>> Envelope: <?xml version='1.0' encoding='utf-8'?><soapenv:Envelope
>>>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"; xmlns:wsa="
>>>>>> http://www.w3.org/2005/08/addressing";><soapenv:Body>_
>>>>>> <m:placeOrder xmlns:m="http://services.samples";>_ <m:order>_
>>>>>> <m:price>3.141593E0</m:price>_
>>>>>> <m:quantity>4</m:quantity>_ <m:symbol>IBM</m:symbol>_
>>>>>> </m:order>_ </m:placeOrder>_
>>>>>> </soapenv:Body></soapenv:Envelope> (Sanitized)
>>>>>>
>>>>>>
>>>>>> As you can see all the new lines are replaced with _ .
>>>>>>
>>>>>> What could be the issue here?
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>> --
>>>>>> Viraj Senevirathne
>>>>>> Software Engineer; WSO2, Inc.
>>>>>>
>>>>>> Mobile : +94 71 958 0269
>>>>>> Email : [email protected]
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Jagath Ariyarathne
>>>>> Technical Lead
>>>>> WSO2 Inc. http://wso2.com/
>>>>> Email: [email protected]
>>>>> Mob : +94 77 386 7048
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Viraj Senevirathne
>>>> Software Engineer; WSO2, Inc.
>>>>
>>>> Mobile : +94 71 958 0269
>>>> Email : [email protected]
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> [email protected]
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>> Sajith Ariyarathna
>>> Software Engineer; WSO2, Inc.; http://wso2.com/
>>> mobile: +94 77 6602284, +94 71 3951048
>>>
>>
>>
>>
>> --
>> Viraj Senevirathne
>> Software Engineer; WSO2, Inc.
>>
>> Mobile : +94 71 958 0269
>> Email : [email protected]
>>
>
>
>
> --
>
> *Malithi Edirisinghe*
> Senior Software Engineer
> WSO2 Inc.
>
> Mobile : +94 (0) 718176807
> [email protected]
>
--
Sajith Ariyarathna
Software Engineer; WSO2, Inc.; http://wso2.com/
mobile: +94 77 6602284, +94 71 3951048
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
