You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Yanming Zhou (Jira)" <ji...@apache.org> on 2021/12/20 01:26:00 UTC
[jira] [Commented] (LOG4J2-3250) Consider remove recursive replace for lookups
[ https://issues.apache.org/jira/browse/LOG4J2-3250?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462348#comment-17462348 ]
Yanming Zhou commented on LOG4J2-3250:
--------------------------------------
Confirm fixed in 2.17.0, please close it.
> Consider remove recursive replace for lookups
> ---------------------------------------------
>
> Key: LOG4J2-3250
> URL: https://issues.apache.org/jira/browse/LOG4J2-3250
> Project: Log4j 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Yanming Zhou
> Priority: Major
> Labels: security
> Fix For: 2.17.0
>
>
> Log4j2 do recursive replace here:
> [https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047]
> It's danger if variable value comes from user input.
> for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC, forged header 'User-Agent: ${sys:user.home}' will output actual user home not literal "${sys:user.home}", sensitive data may leak.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)