You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Yanming Zhou (Jira)" <ji...@apache.org> on 2021/12/20 01:26:00 UTC

[jira] [Commented] (LOG4J2-3250) Consider remove recursive replace for lookups

    [ https://issues.apache.org/jira/browse/LOG4J2-3250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462348#comment-17462348 ] 

Yanming Zhou commented on LOG4J2-3250:
--------------------------------------

Confirm fixed in 2.17.0, please close it.

> Consider remove recursive replace for lookups
> ---------------------------------------------
>
>                 Key: LOG4J2-3250
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3250
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Core
>    Affects Versions: 2.16.0
>            Reporter: Yanming Zhou
>            Priority: Major
>              Labels: security
>             Fix For: 2.17.0
>
>
> Log4j2 do recursive replace here:
> [https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047]
> It's danger if variable value comes from user input.
> for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC, forged header 'User-Agent: ${sys:user.home}' will output actual user home not literal "${sys:user.home}", sensitive data may leak.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)