[
https://issues.apache.org/jira/browse/KARAF-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17296435#comment-17296435
]
ASF subversion and git services commented on KARAF-7061:
--------------------------------------------------------
Commit 8b7d135c9b025cec55f569a28b88e4e319633ab6 in karaf's branch
refs/heads/master from Jean-Baptiste Onofré
[ https://gitbox.apache.org/repos/asf?p=karaf.git;h=8b7d135 ]
Merge pull request #1318 from jbonofre/KARAF-7061
[KARAF-7061] Change log4j2.pattern to prevent CRLF/HTML code injection
> Add default message escaping for Log4J2 configuration to help prevent log
> injection attacks
> -------------------------------------------------------------------------------------------
>
> Key: KARAF-7061
> URL: https://issues.apache.org/jira/browse/KARAF-7061
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Affects Versions: 4.3.0, 4.2.10
> Reporter: Serge Huber
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> As recommended in
> https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
> to prevent log injections of CRLF or HTML code (which could be exploited if
> the logs are displayed in an HTML page), we should change the default log4j2
> pattern in Karaf from:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %m%n
> {code}
> to something like this:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n
> {code}
> See :
> This would limit the message to 500 characters to prevent sending huge
> messages and will turn on the default HTML escaping which escapes for CRLF
> and any HTML tags such as <script>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
