You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Dave (JIRA)" <ji...@apache.org> on 2018/11/17 00:46:00 UTC
[jira] [Created] (LOG4J2-2511) Turn Log Injection Defenses On By
Default
Dave created LOG4J2-2511:
----------------------------
Summary: Turn Log Injection Defenses On By Default
Key: LOG4J2-2511
URL: https://issues.apache.org/jira/browse/LOG4J2-2511
Project: Log4j 2
Issue Type: Improvement
Components: Pattern Converters
Affects Versions: 2.11.1
Reporter: Dave
Per: [https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html] - there is a new encoding scheme introduced in 2.10.0 (by https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to encode plain logging output with *enc*{_pattern_}\{CRLF} to avoid Log Injection attacks ([https://www.owasp.org/index.php/Log_Injection)|https://www.owasp.org/index.php/Log_Injection).]. While it is great to have this available, most developers won't be aware of the risk of Log Injection so won't do anything about it.
I recommend that Log4J2 enable this encoding by default if no other encoding scheme is specified. It shouldn't hurt plain text logging by defending against this attack automatically. However, to allow people to disable it in case they really don't want this I suggest creating an encoding scheme like \{NONE} that explicitly disables this new default behavior which people can use to turn it off.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)