[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mitth'raw'nuruodo updated LOG4J2-1203:
--------------------------------------
Description:
Unless specific steps are taken to filter log inputs, there may be a risk of
CRLF injection: https://cwe.mitre.org/data/definitions/93.html
This is not a critical vulnerability, but manually escaping/encoding/sanitising
every instance of logging in a large application is impractical. Most
applications have no need to output un-filtered line breaks, so they would
benefit from a global option.
Could the list of pattern converters be extended to include a modifier to say
that whitespace should be normalised (as per Commons Lang
{{StringUtils.normaliseSpace}})? Eg {{%_m}}
Alternatively, it would be simple to implement a wrapper that would apply
normalisation to the output of another layout, but it would be more difficult
to configure such a wrapper in XML, and it would affect the entire log output,
effectively obliterating all padding modifiers.
was:
Unless specific steps are taken to filter log inputs, there may be a risk of
CRLF injection: https://cwe.mitre.org/data/definitions/93.html
This is not a critical vulnerability, but manually escaping/encoding/sanitising
every instance of logging in a large application is impractical. Most
applications have no need to output un-filtered line breaks, so they would
benefit from a global option.
Could the list of pattern converters be extended to include a modifier to say
that whitespace should be normalised (as per Commons Lang
{{StringUtils.normaliseSpace}})? Eg {{%_m}}
Alternatively, it would be simple to implement a wrapper that would apply
normalisation to the output of another layout, but it would be more difficult
to configure such a wrapper in XML.
> Allow filtering of line breaks in layout pattern
> ------------------------------------------------
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
> Affects Versions: 2.4.1
> Reporter: Mitth'raw'nuruodo
> Priority: Minor
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection: https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org
