[
https://issues.apache.org/jira/browse/ACCUMULO-3681?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14375161#comment-14375161
]
ASF GitHub Bot commented on ACCUMULO-3681:
------------------------------------------
Github user joshelser commented on the pull request:
https://github.com/apache/accumulo/pull/24#issuecomment-84702521
Thanks for the explanation, Ed, that makes sense to me!
> Avoid string format injection problems
> --------------------------------------
>
> Key: ACCUMULO-3681
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3681
> Project: Accumulo
> Issue Type: Sub-task
> Components: build
> Reporter: Christopher Tubbs
> Assignee: Ed Coleman
> Fix For: 1.7.0
>
>
> In log4j, we could write {{log.debug(e,e);}}, where {{e}} was an
> {{Exception}} type, whenever we didn't have a more specific message to put
> in. Log4j would convert the first parameter to a {{String}}.
> With the migration to slf4j, this no longer works. Instead, slf4j requires
> the first parameter to be a format string. So, in many places, we've
> converted these to something like {{log.debug(e.toString(),e);}}.
> However, the key point here is that it's not just _any_ string, it's
> specifically a *format* string. So, this will be problematic if
> {{e.toString()}} actually contains format instructions like {{The input
> "\{\}" is not a valid table name}}.
> To avoid these kinds of problems, we should take care to replace these with a
> better option:
> # {{log.debug("Some explicit message", e);}} (preferred)
> # {{log.debug("", e);}}
> # {{log.debug("{}", e.getMessage(), e);}}
> # {{log.debug("{}", e.toString(), e);}}
> # {{log.debug("{}", e, e);}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
