[
https://issues.apache.org/jira/browse/KARAF-6353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924856#comment-16924856
]
ASF GitHub Bot commented on KARAF-6353:
---------------------------------------
jbonofre commented on pull request #933: [KARAF-6353] Remove invalid command
displayed in the log in shutdown socket
URL: https://github.com/apache/karaf/pull/933
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Sanitize ShutdownSocketThread command log
> -----------------------------------------
>
> Key: KARAF-6353
> URL: https://issues.apache.org/jira/browse/KARAF-6353
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Reporter: Colm O hEigeartaigh
> Assignee: Jean-Baptiste Onofré
> Priority: Minor
> Fix For: 4.3.0, 4.2.7
>
>
> In ShutdownSocketThread it logs an unsucessful command with:
> {code}
> LOG.log(Level.WARNING, "Karaf shutdown socket: Invalid command '" +
> command.toString() + "' received");
> {code}
> Here we should make sure to sanitize the command.toString() output, as
> otherwise it gives an attacker the opportunity to pollute the logs with CRLF
> characters.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
