[jira] [Resolved] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[ https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] jinyanan resolved LOG4J2-2094. -- Resolution: Not A Bug > Specifying log4jConfiguration in web.xml fails on Windows when the file's > path contains vm options > -- > > Key: LOG4J2-2094 > URL: https://issues.apache.org/jira/browse/LOG4J2-2094 > Project: Log4j 2 > Issue Type: Bug > Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1 >Reporter: jinyanan >Priority: Minor > > when I code my web.xml like this > {code:java} > > log4jConfiguration > > file:///${SYSTEM_HOME}/etc/properties/log4j2.xml > > {code} > I get exception like > {code:java} > ERROR StatusLogger Unable to access > file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml > java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml > (系统找不到指定的路径。) > {code} > I set my SYSTEM_HOME in my IntelliJ IDEA VM Options > !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg! -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[ https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235218#comment-16235218 ] jinyanan commented on LOG4J2-2094: -- pretty good, it's worked! thank you very much > Specifying log4jConfiguration in web.xml fails on Windows when the file's > path contains vm options > -- > > Key: LOG4J2-2094 > URL: https://issues.apache.org/jira/browse/LOG4J2-2094 > Project: Log4j 2 > Issue Type: Bug > Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1 >Reporter: jinyanan >Priority: Minor > > when I code my web.xml like this > {code:java} > > log4jConfiguration > > file:///${SYSTEM_HOME}/etc/properties/log4j2.xml > > {code} > I get exception like > {code:java} > ERROR StatusLogger Unable to access > file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml > java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml > (系统找不到指定的路径。) > {code} > I set my SYSTEM_HOME in my IntelliJ IDEA VM Options > !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg! -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
[ https://issues.apache.org/jira/browse/LOG4J2-2094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235163#comment-16235163 ] Ralph Goers commented on LOG4J2-2094: - Can you please try {code} file:///${sys:SYSTEM_HOME}/etc/properties/log4j2.xml {code} and see if that works any better? > Specifying log4jConfiguration in web.xml fails on Windows when the file's > path contains vm options > -- > > Key: LOG4J2-2094 > URL: https://issues.apache.org/jira/browse/LOG4J2-2094 > Project: Log4j 2 > Issue Type: Bug > Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1 >Reporter: jinyanan >Priority: Minor > > when I code my web.xml like this > {code:java} > > log4jConfiguration > > file:///${SYSTEM_HOME}/etc/properties/log4j2.xml > > {code} > I get exception like > {code:java} > ERROR StatusLogger Unable to access > file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml > java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml > (系统找不到指定的路径。) > {code} > I set my SYSTEM_HOME in my IntelliJ IDEA VM Options > !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg! -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[GitHub] logging-log4j2 pull request #122: LOG4J2-1203 Added Pattern encoding for CRL...
GitHub user rturner-edjuster opened a pull request: https://github.com/apache/logging-log4j2/pull/122 LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rturner-edjuster/logging-log4j2 LOG4J2-1203 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/logging-log4j2/pull/122.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #122 commit 1c567fc0fcc709cbcd0591423a0fb0f733c4c25c Author: Robert Turner Date: 2017-11-02T00:53:24Z LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. ---
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235086#comment-16235086 ] ASF GitHub Bot commented on LOG4J2-1203: GitHub user rturner-edjuster opened a pull request: https://github.com/apache/logging-log4j2/pull/122 LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rturner-edjuster/logging-log4j2 LOG4J2-1203 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/logging-log4j2/pull/122.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #122 commit 1c567fc0fcc709cbcd0591423a0fb0f733c4c25c Author: Robert Turner Date: 2017-11-02T00:53:24Z LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > Attachments: > 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235087#comment-16235087 ] Robert Turner commented on LOG4J2-1203: --- Pull request has been posted: https://github.com/apache/logging-log4j2/pull/122 > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > Attachments: > 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (LOG4J2-2094) Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options
jinyanan created LOG4J2-2094: Summary: Specifying log4jConfiguration in web.xml fails on Windows when the file's path contains vm options Key: LOG4J2-2094 URL: https://issues.apache.org/jira/browse/LOG4J2-2094 Project: Log4j 2 Issue Type: Bug Environment: Windows 10, jetty 9.4.7.v20170914 , Java 8, log4j 2.9.1 Reporter: jinyanan Priority: Minor when I code my web.xml like this {code:java} log4jConfiguration file:///${SYSTEM_HOME}/etc/properties/log4j2.xml {code} I get exception like {code:java} ERROR StatusLogger Unable to access file:///$%7BSYSTEM_HOME%7D/etc/properties/log4j2.xml java.io.FileNotFoundException: \${SYSTEM_HOME}\etc\properties\log4j2.xml (系统找不到指定的路径。) {code} I set my SYSTEM_HOME in my IntelliJ IDEA VM Options !http://wx4.sinaimg.cn/large/7dde05d2gy1fl3ikz7iqmj20uc0a4dgf.jpg! -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235071#comment-16235071 ] Robert Turner commented on LOG4J2-1203: --- Just noticed your note about a pull request -- I will locate the relevant project in Github and see about getting the pull request posted. > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > Attachments: > 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Turner updated LOG4J2-1203: -- Attachment: 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch Proposed patch to add Pattern encoding for only CRLF: [^0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch] > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > Attachments: > 0001-LOG4J2-1203-Added-Pattern-encoding-for-CRLF-only.patch > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235051#comment-16235051 ] Ralph Goers edited comment on LOG4J2-1203 at 11/2/17 1:21 AM: -- Yes. Issues with patches are always more likely to be accepted. I should point out that instead of attaching a patch you can also create a pull request at github. was (Author: ralph.go...@dslextreme.com): Yes. Issues with patches are always more likely to be accepted. > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235051#comment-16235051 ] Ralph Goers commented on LOG4J2-1203: - Yes. Issues with patches are always more likely to be accepted. > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Comment Edited] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235001#comment-16235001 ] Robert Turner edited comment on LOG4J2-1203 at 11/2/17 12:17 AM: - This isn't really a duplicate, and isn't really resolved with %enc{}. Currently %enc forces you down HTML or JSON routes, but doesn't have a simple CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF injection avoidance. I'm happy to provide a patch to extend the %enc to support a new type of encoding for just CRLF. [~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and attach a patch? was (Author: rtur...@e-djuster.com): This isn't really a duplicate, and isn't really resolved with %enc{}. Currently %enc forces you down HTML or XML routes, but doesn't have a simple CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF injection avoidance. I'm happy to provide a patch to extend the %enc to support a new type of encoding for just CRLF. [~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and attach a patch? > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern
[ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235001#comment-16235001 ] Robert Turner commented on LOG4J2-1203: --- This isn't really a duplicate, and isn't really resolved with %enc{}. Currently %enc forces you down HTML or XML routes, but doesn't have a simple CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF injection avoidance. I'm happy to provide a patch to extend the %enc to support a new type of encoding for just CRLF. [~ralph.go...@dslextreme.com] [~jvz] Shall I create a new feature request and attach a patch? > Allow filtering of line breaks in layout pattern > > > Key: LOG4J2-1203 > URL: https://issues.apache.org/jira/browse/LOG4J2-1203 > Project: Log4j 2 > Issue Type: New Feature > Components: Pattern Converters >Affects Versions: 2.4.1 >Reporter: Mitth'raw'nuruodo >Priority: Minor > Fix For: 2.0-rc2 > > > Unless specific steps are taken to filter log inputs, there may be a risk of > CRLF injection, allowing an attacker to forge log entries: > https://cwe.mitre.org/data/definitions/93.html > This is not a critical vulnerability, but manually > escaping/encoding/sanitising every instance of logging in a large application > is impractical. Most applications have no need to output un-filtered line > breaks, so they would benefit from a global option. > Could the list of pattern converters be extended to include a modifier to say > that whitespace should be normalised (as per Commons Lang > {{StringUtils.normaliseSpace}})? Eg {{%_m}} > Alternatively, it would be simple to implement a wrapper that would apply > normalisation to the output of another layout, but it would be more difficult > to configure such a wrapper in XML, and it would affect the entire log > output, effectively obliterating all padding modifiers. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (LOG4J2-2093) Provide dependency management for log4j-to-slf4j is log4j-bom
Andy Wilkinson created LOG4J2-2093: -- Summary: Provide dependency management for log4j-to-slf4j is log4j-bom Key: LOG4J2-2093 URL: https://issues.apache.org/jira/browse/LOG4J2-2093 Project: Log4j 2 Issue Type: Improvement Affects Versions: 2.9.1 Reporter: Andy Wilkinson Priority: Normal Would it be possible to add dependency management for log4j-to-slf4j to log4j-bom? This would make it easier to keep the versions of log4j-api and log4j-to-slf4j in sync, and would also [help Spring Boot users|https://github.com/spring-projects/spring-boot/issues/10847]. -- This message was sent by Atlassian JIRA (v6.4.14#64029)