Dave created LOG4J2-2511:
----------------------------
Summary: Turn Log Injection Defenses On By Default
Key: LOG4J2-2511
URL: https://issues.apache.org/jira/browse/LOG4J2-2511
Project: Log4j 2
Issue Type: Improvement
Components: Pattern Converters
Affects Versions: 2.11.1
Reporter: Dave
Per: [https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html] - there
is a new encoding scheme introduced in 2.10.0 (by
https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to encode
plain logging output with *enc*{_pattern_}\{CRLF} to avoid Log Injection
attacks
([https://www.owasp.org/index.php/Log_Injection)|https://www.owasp.org/index.php/Log_Injection).].
While it is great to have this available, most developers won't be aware of
the risk of Log Injection so won't do anything about it.
I recommend that Log4J2 enable this encoding by default if no other encoding
scheme is specified. It shouldn't hurt plain text logging by defending against
this attack automatically. However, to allow people to disable it in case they
really don't want this I suggest creating an encoding scheme like \{NONE} that
explicitly disables this new default behavior which people can use to turn it
off.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
