Marcono1234 created LOG4J2-3290:
-----------------------------------
Summary: NetUtils.getLocalIps() is error-prone
Key: LOG4J2-3290
URL: https://issues.apache.org/jira/browse/LOG4J2-3290
Project: Log4j 2
Issue Type: Bug
Reporter: Marcono1234
The method {{org.apache.logging.log4j.core.util.NetUtils.getLocalIps()}} is
error-prone:
- It does not document in which format the returned IP addresses are. IPv6
addresses are not enclosed in square brackets, and may have an optional scope
id, e.g. {{1080:0:0:0:8:800:200C:417A%eth3}}. This should be documented because
some callers might expect enclosing square brackets.
- Its results include temporary IP addresses. This causes the following issues,
when during the runtime of an application the IP addresses are re-assigned by
the provider:
-- If the results of {{getLocalIps()}} were cached, parts of the application
might break due to IP address change, because the newly assigned IP address is
not considered a 'local IP' anymore.
-- It might allow circumventing IP address filters when a malicious actor
manages to get the previous IP address as their new address.
{{NetUtils.getLocalIps()}} was only introduced for {{JndiManager}}, however
with the recent changes the method does not appear to be used anymore (see
LOG4J2-3242). Therefore, it might also be an option to remove the method again.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
