You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@accumulo.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2015/03/18 20:35:38 UTC
[jira] [Created] (ACCUMULO-3681) Avoid string format injection
problems
Christopher Tubbs created ACCUMULO-3681:
-------------------------------------------
Summary: Avoid string format injection problems
Key: ACCUMULO-3681
URL: https://issues.apache.org/jira/browse/ACCUMULO-3681
Project: Accumulo
Issue Type: Sub-task
Reporter: Christopher Tubbs
Fix For: 1.7.0
In log4j, we could write {{log.debug(e,e);}}, where {{e}} was an {{Exception}} type, whenever we didn't have a more specific message to put in. Log4j would convert the first parameter to a {{String}}.
With the migration to slf4j, this no longer works. Instead, slf4j requires the first parameter to be a format string. So, in many places, we've converted these to something like {{log.debug(e.toString(),e);}}.
However, the key point here is that it's not just _any_ string, it's specifically a *format* string. So, this will be problematic if {{e.toString()}} actually contains format instructions like {{The input "\{\}" is not a valid table name}}.
To avoid these kinds of problems, we should take care to replace these with a better option:
# {{log.debug("Some explicit message", e);}} (preferred)
# {{log.debug("", e);}}
# {{log.debug("{}", e.getMessage(), e);}}
# {{log.debug("{}", e.toString(), e);}}
# {{log.debug("{}", e, e);}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)