[
https://issues.apache.org/jira/browse/KARAF-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17296437#comment-17296437
]
ASF subversion and git services commented on KARAF-7061:
--------------------------------------------------------
Commit 9b6007026db9399708bc3a43dd7ea95862d621de in karaf's branch
refs/heads/karaf-4.2.x from jbonofre
[ https://gitbox.apache.org/repos/asf?p=karaf.git;h=9b60070 ]
[KARAF-7061] Change log4j2.pattern to prevent CRLF/HTML code injection
(cherry picked from commit bac366abbc27e9961476d303e54fa17820fee765)
> Add default message escaping for Log4J2 configuration to help prevent log
> injection attacks
> -------------------------------------------------------------------------------------------
>
> Key: KARAF-7061
> URL: https://issues.apache.org/jira/browse/KARAF-7061
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Affects Versions: 4.3.0, 4.2.10
> Reporter: Serge Huber
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> As recommended in
> https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
> to prevent log injections of CRLF or HTML code (which could be exploited if
> the logs are displayed in an HTML page), we should change the default log4j2
> pattern in Karaf from:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %m%n
> {code}
> to something like this:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n
> {code}
> See :
> This would limit the message to 500 characters to prevent sending huge
> messages and will turn on the default HTML escaping which escapes for CRLF
> and any HTML tags such as <script>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)