[
https://issues.apache.org/jira/browse/KARAF-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste Onofré reassigned KARAF-7061:
-------------------------------------------
Assignee: Jean-Baptiste Onofré
> Add default message escaping for Log4J2 configuration to help prevent log
> injection attacks
> -------------------------------------------------------------------------------------------
>
> Key: KARAF-7061
> URL: https://issues.apache.org/jira/browse/KARAF-7061
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Affects Versions: 4.3.0, 4.2.10
> Reporter: Serge Huber
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> As recommended in
> https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
> to prevent log injections of CRLF or HTML code (which could be exploited if
> the logs are displayed in an HTML page), we should change the default log4j2
> pattern in Karaf from:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %m%n
> {code}
> to something like this:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n
> {code}
> See :
> This would limit the message to 500 characters to prevent sending huge
> messages and will turn on the default HTML escaping which escapes for CRLF
> and any HTML tags such as <script>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
