[
https://issues.apache.org/jira/browse/LOG4J2-2511?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16935096#comment-16935096
]
Matt Sicker commented on LOG4J2-2511:
-------------------------------------
Maybe this feature would make sense for configuring an encoder for message
parameters? Maybe even for anything besides the format message since they could
all be potentially tainted.
I'm not so sure about us changing default settings in 2.x, but maybe this could
be considered a default configuration in 3.0?
> Turn Log Injection Defenses On By Default
> -----------------------------------------
>
> Key: LOG4J2-2511
> URL: https://issues.apache.org/jira/browse/LOG4J2-2511
> Project: Log4j 2
> Issue Type: Improvement
> Components: Pattern Converters
> Affects Versions: 2.11.1
> Reporter: Dave Wichers
> Priority: Minor
> Labels: Security
>
> Per: [https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html] - there
> is a new encoding scheme introduced in 2.10.0 (by
> https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to
> encode plain logging output with *enc*{_pattern_}\{CRLF} to avoid Log
> Injection attacks
> ([https://www.owasp.org/index.php/Log_Injection)|https://www.owasp.org/index.php/Log_Injection).].
> While it is great to have this available, most developers won't be aware of
> the risk of Log Injection so won't do anything about it.
> I recommend that Log4J2 enable this encoding by default if no other encoding
> scheme is specified. It shouldn't hurt plain text logging by defending
> against this attack automatically. However, to allow people to disable it in
> case they really don't want this I suggest creating an encoding scheme like
> \{NONE} that explicitly disables this new default behavior which people can
> use to turn it off.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
