[jira] [Resolved] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[
https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
jinyanan resolved LOG4J2-2094.
--
Resolution: Not A Bug
> Specifying log4jConfiguration in web.xml fails on Windows when the file's
> path contains vm options
> --
>
> Key: LOG4J2-2094
> URL: https://issues.apache.org/jira/browse/LOG4J2-2094
> Project: Log4j 2
> Issue Type: Bug
> Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1
>Reporter: jinyanan
>Priority: Minor
>
> when I code my web.xml like this
> {code:java}
>
> log4jConfiguration
>
> file:///${SYSTEM_HOME}/etc/properties/log4j2.xml
>
> {code}
> I get exception like
> {code:java}
> ERROR StatusLogger Unable to access
> file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml
> java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml
> (系统找不到指定的路径。)
> {code}
> I set my SYSTEM_HOME in my IntelliJ IDEA VM Options
> !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[
https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235218#comment-16235218
]
jinyanan commented on LOG4J2-2094:
--
pretty good, it's worked!
thank you very much
> Specifying log4jConfiguration in web.xml fails on Windows when the file's
> path contains vm options
> --
>
> Key: LOG4J2-2094
> URL: https://issues.apache.org/jira/browse/LOG4J2-2094
> Project: Log4j 2
> Issue Type: Bug
> Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1
>Reporter: jinyanan
>Priority: Minor
>
> when I code my web.xml like this
> {code:java}
>
> log4jConfiguration
>
> file:///${SYSTEM_HOME}/etc/properties/log4j2.xml
>
> {code}
> I get exception like
> {code:java}
> ERROR StatusLogger Unable to access
> file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml
> java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml
> (系统找不到指定的路径。)
> {code}
> I set my SYSTEM_HOME in my IntelliJ IDEA VM Options
> !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[
https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235163#comment-16235163
]
Ralph Goers commented on LOG4J2-2094:
-
Can you please try
{code}
file:///${sys:SYSTEM_HOME}/etc/properties/log4j2.xml
{code}
and see if that works any better?
> Specifying log4jConfiguration in web.xml fails on Windows when the file's
> path contains vm options
> --
>
> Key: LOG4J2-2094
> URL: https://issues.apache.org/jira/browse/LOG4J2-2094
> Project: Log4j 2
> Issue Type: Bug
> Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1
>Reporter: jinyanan
>Priority: Minor
>
> when I code my web.xml like this
> {code:java}
>
> log4jConfiguration
>
> file:///${SYSTEM_HOME}/etc/properties/log4j2.xml
>
> {code}
> I get exception like
> {code:java}
> ERROR StatusLogger Unable to access
> file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml
> java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml
> (系统找不到指定的路径。)
> {code}
> I set my SYSTEM_HOME in my IntelliJ IDEA VM Options
> !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[GitHub] logging-log4j2 pull request #122: LOG4J2-1203 Added Pattern encoding for CRL...
GitHub user rturner-edjuster opened a pull request: https://github.com/apache/logging-log4j2/pull/122 LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rturner-edjuster/logging-log4j2 LOG4J2-1203 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/logging-log4j2/pull/122.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #122 commit 1c567fc0fcc709cbcd0591423a0fb0f733c4c25c Author: Robert Turner Date: 2017-11-02T00:53:24Z LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. ---
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235086#comment-16235086
]
ASF GitHub Bot commented on LOG4J2-1203:
GitHub user rturner-edjuster opened a pull request:
https://github.com/apache/logging-log4j2/pull/122
LOG4J2-1203 Added Pattern encoding for CRLF only
Added a Pattern encoding format limited to just CRLF for use cases
where you do not want full HTML or JSON encoding, but do want to
protected against CR and/or LF injection attacks in logs.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/rturner-edjuster/logging-log4j2 LOG4J2-1203
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/logging-log4j2/pull/122.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #122
commit 1c567fc0fcc709cbcd0591423a0fb0f733c4c25c
Author: Robert Turner
Date: 2017-11-02T00:53:24Z
LOG4J2-1203 Added Pattern encoding for CRLF only
Added a Pattern encoding format limited to just CRLF for use cases
where you do not want full HTML or JSON encoding, but do want to
protected against CR and/or LF injection attacks in logs.
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
> Attachments:
> 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235087#comment-16235087
]
Robert Turner commented on LOG4J2-1203:
---
Pull request has been posted: https://github.com/apache/logging-log4j2/pull/122
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
> Attachments:
> 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Created] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
jinyanan created LOG4J2-2094:
Summary: Specifying log4jConfiguration in web.xml fails on Windows
when the file's path contains vm options
Key: LOG4J2-2094
URL: https://issues.apache.org/jira/browse/LOG4J2-2094
Project: Log4j 2
Issue Type: Bug
Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1
Reporter: jinyanan
Priority: Minor
when I code my web.xml like this
{code:java}
log4jConfiguration
file:///${SYSTEM_HOME}/etc/properties/log4j2.xml
{code}
I get exception like
{code:java}
ERROR StatusLogger Unable to access
file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml
java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml
(系统找不到指定的路径。)
{code}
I set my SYSTEM_HOME in my IntelliJ IDEA VM Options
!http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg!
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235071#comment-16235071
]
Robert Turner commented on LOG4J2-1203:
---
Just noticed your note about a pull request -- I will locate the relevant
project in Github and see about getting the pull request posted.
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
> Attachments:
> 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Updated] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Turner updated LOG4J2-1203:
--
Attachment: 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch
Proposed patch to add Pattern encoding for only CRLF:
[^0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch]
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
> Attachments:
> 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Comment Edited] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235051#comment-16235051
]
Ralph Goers edited comment on LOG4J2-1203 at 11/2/17 1:21 AM:
--
Yes. Issues with patches are always more likely to be accepted. I should point
out that instead of attaching a patch you can also create a pull request at
github.
was (Author: ralph.go...@dslextreme.com):
Yes. Issues with patches are always more likely to be accepted.
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235051#comment-16235051
]
Ralph Goers commented on LOG4J2-1203:
-
Yes. Issues with patches are always more likely to be accepted.
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Comment Edited] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235001#comment-16235001
]
Robert Turner edited comment on LOG4J2-1203 at 11/2/17 12:17 AM:
-
This isn't really a duplicate, and isn't really resolved with %enc{}.
Currently %enc forces you down HTML or JSON routes, but doesn't have a simple
CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF
injection avoidance.
I'm happy to provide a patch to extend the %enc to support a new type of
encoding for just CRLF.
[~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and
attach a patch?
was (Author: rtur...@e-djuster.com):
This isn't really a duplicate, and isn't really resolved with %enc{}.
Currently %enc forces you down HTML or XML routes, but doesn't have a simple
CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF
injection avoidance.
I'm happy to provide a patch to extend the %enc to support a new type of
encoding for just CRLF.
[~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and
attach a patch?
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[
https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235001#comment-16235001
]
Robert Turner commented on LOG4J2-1203:
---
This isn't really a duplicate, and isn't really resolved with %enc{}.
Currently %enc forces you down HTML or XML routes, but doesn't have a simple
CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF
injection avoidance.
I'm happy to provide a patch to extend the %enc to support a new type of
encoding for just CRLF.
[~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and
attach a patch?
> Allow filtering of line breaks in layout pattern
>
>
> Key: LOG4J2-1203
> URL: https://issues.apache.org/jira/browse/LOG4J2-1203
> Project: Log4j 2
> Issue Type: New Feature
> Components: Pattern Converters
>Affects Versions: 2.4.1
>Reporter: Mitth'raw'nuruodo
>Priority: Minor
> Fix For: 2.0-rc2
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of
> CRLF injection, allowing an attacker to forge log entries:
> https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually
> escaping/encoding/sanitising every instance of logging in a large application
> is impractical. Most applications have no need to output un-filtered line
> breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say
> that whitespace should be normalised (as per Commons Lang
> {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply
> normalisation to the output of another layout, but it would be more difficult
> to configure such a wrapper in XML, and it would affect the entire log
> output, effectively obliterating all padding modifiers.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Created] (LOG4J2-2093) Provide dependency management for log4j-to-slf4j is log4j-bom
Andy Wilkinson created LOG4J2-2093: -- Summary: Provide dependency management for log4j-to-slf4j is log4j-bom Key: LOG4J2-2093 URL: https://issues.apache.org/jira/browse/LOG4J2-2093 Project: Log4j 2 Issue Type: Improvement Affects Versions: 2.9.1 Reporter: Andy Wilkinson Priority: Normal Would it be possible to add dependency management for log4j-to-slf4j to log4j-bom? This would make it easier to keep the versions of log4j-api and log4j-to-slf4j in sync, and would also [help Spring Boot users|https://github.com/spring-projects/spring-boot/issues/10847]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
