[Pki-devel] [PATCH] 0166 CMS.getLogMessage: escape format elements in arguments

Wed, 01 Mar 2017 23:36:43 -0800 

Hi team,

Please review attached patch that fixes an issue in CMS message
formatting: if one of the message arguments contains '{' or '}', in
subsequent logging this is interpreted as a FormatElement and
parsing fails.

Thanks,
Fraser

From 45c90767ff697209c4e46581f796807c0093f527 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Thu, 2 Mar 2017 16:32:21 +1000
Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments

CMS.getLogMessage performs message formatting via MessageFormat,
then the message gets logged via a Logger.  The Logger also performs
message formatting via MessageFormat.  If the formatted log message
contains '{' or '}' (e.g. if it contains JSON) the MessageFormat
implementation interprets these as FormatElement delimiters and
parsing fails.

Update CMS.getLogMessage() to scan arguments for unsafe characters
and if found, escape the whole message so that subsequent logging
will succeed.

Part of: https://pagure.io/dogtagpki/issue/1359
---
 .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java 
b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 
90ee8b90a4841ee79970c9b857b95468d7ecd2ec..31ec53f8aaeda818bf174111f115cf611267897c
 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1592,7 +1592,21 @@ public class CMSEngine implements ICMSEngine {
             return msg;
         MessageFormat mf = new MessageFormat(msg);
 
-        return mf.format(params);
+        String escapedParams[] = new String[params.length];
+        for (int i = 0; i < params.length; i++)
+            escapedParams[i] = escapeLogMessageParam(params[i]);
+
+        return mf.format(escapedParams);
+    }
+
+    /** Quote a string for inclusion in a java.text.MessageFormat
+     */
+    private String escapeLogMessageParam(String s) {
+        if (s == null)
+            return null;
+        if (s.contains("{") || s.contains("}"))
+            return "'" + s.replaceAll("'", "''") + "'";
+        return s;
     }
 
     public void debug(byte data[]) {
-- 
2.9.3


_______________________________________________
Pki-devel mailing list
Pki-devel@redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel

Reply via email to