You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Dave (JIRA)" <ji...@apache.org> on 2018/11/17 00:46:00 UTC

[jira] [Created] (LOG4J2-2511) Turn Log Injection Defenses On By Default

Dave created LOG4J2-2511:
----------------------------

             Summary: Turn Log Injection Defenses On By Default
                 Key: LOG4J2-2511
                 URL: https://issues.apache.org/jira/browse/LOG4J2-2511
             Project: Log4j 2
          Issue Type: Improvement
          Components: Pattern Converters
    Affects Versions: 2.11.1
            Reporter: Dave


Per: [https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html] - there is a new encoding scheme introduced in 2.10.0 (by https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to encode plain logging output with *enc*{_pattern_}\{CRLF} to avoid Log Injection attacks ([https://www.owasp.org/index.php/Log_Injection)|https://www.owasp.org/index.php/Log_Injection).]. While it is great to have this available, most developers won't be aware of the risk of Log Injection so won't do anything about it.

I recommend that Log4J2 enable this encoding by default if no other encoding scheme is specified. It shouldn't hurt plain text logging by defending against this attack automatically. However, to allow people to disable it in case they really don't want this I suggest creating an encoding scheme like \{NONE} that explicitly disables this new default behavior which people can use to turn it off.

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)