You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@accumulo.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2015/03/18 20:35:38 UTC

[jira] [Created] (ACCUMULO-3681) Avoid string format injection problems

Christopher Tubbs created ACCUMULO-3681:
-------------------------------------------

             Summary: Avoid string format injection problems
                 Key: ACCUMULO-3681
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3681
             Project: Accumulo
          Issue Type: Sub-task
            Reporter: Christopher Tubbs
             Fix For: 1.7.0


In log4j, we could write {{log.debug(e,e);}}, where {{e}} was an {{Exception}} type, whenever we didn't have a more specific message to put in. Log4j would convert the first parameter to a {{String}}.

With the migration to slf4j, this no longer works. Instead, slf4j requires the first parameter to be a format string. So, in many places, we've converted these to something like {{log.debug(e.toString(),e);}}.

However, the key point here is that it's not just _any_ string, it's specifically a *format* string. So, this will be problematic if {{e.toString()}} actually contains format instructions like {{The input "\{\}" is not a valid table name}}.

To avoid these kinds of problems, we should take care to replace these with a better option:

# {{log.debug("Some explicit message", e);}} (preferred)
# {{log.debug("", e);}}
# {{log.debug("{}", e.getMessage(), e);}}
# {{log.debug("{}", e.toString(), e);}}
# {{log.debug("{}", e, e);}}




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)