You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Yanming Zhou (Jira)" <ji...@apache.org> on 2021/12/17 02:08:00 UTC

[jira] [Created] (LOG4J2-3250) Consider remove recursive replace for lookups

Yanming Zhou created LOG4J2-3250:
------------------------------------

             Summary: Consider remove recursive replace for lookups
                 Key: LOG4J2-3250
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3250
             Project: Log4j 2
          Issue Type: Improvement
          Components: Core
    Affects Versions: 2.16.0
            Reporter: Yanming Zhou


Log4j2 do recursive replace here:

[https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047]

It's danger if variable value comes from user input.
for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC, forged header 'User-Agent: ${sys:user.home}' will output actual user home not literal "${sys:user.home}", sensitive data may leak.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)