You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Yanming Zhou (Jira)" <ji...@apache.org> on 2021/12/17 02:08:00 UTC
[jira] [Created] (LOG4J2-3250) Consider remove recursive replace for lookups
Yanming Zhou created LOG4J2-3250:
------------------------------------
Summary: Consider remove recursive replace for lookups
Key: LOG4J2-3250
URL: https://issues.apache.org/jira/browse/LOG4J2-3250
Project: Log4j 2
Issue Type: Improvement
Components: Core
Affects Versions: 2.16.0
Reporter: Yanming Zhou
Log4j2 do recursive replace here:
[https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047]
It's danger if variable value comes from user input.
for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC, forged header 'User-Agent: ${sys:user.home}' will output actual user home not literal "${sys:user.home}", sensitive data may leak.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)