You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Robert Turner (JIRA)" <ji...@apache.org> on 2017/11/02 00:14:00 UTC

[jira] [Commented] (LOG4J2-1203) Allow filtering of line breaks in layout pattern

    [ https://issues.apache.org/jira/browse/LOG4J2-1203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16235001#comment-16235001 ] 

Robert Turner commented on LOG4J2-1203:
---------------------------------------

This isn't really a duplicate, and isn't really resolved with %enc{}.  Currently %enc forces you down HTML or XML routes, but doesn't have a simple CRLF encoding. As such, you get HTML'ized logs, when all you might want is CRLF injection avoidance.

I'm happy to provide a patch to extend the %enc to support a new type of encoding for just CRLF. 
[~ralph.goers@dslextreme.com] [~jvz] Shall I create a new feature request and attach a patch?

> Allow filtering of line breaks in layout pattern
> ------------------------------------------------
>
>                 Key: LOG4J2-1203
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1203
>             Project: Log4j 2
>          Issue Type: New Feature
>          Components: Pattern Converters
>    Affects Versions: 2.4.1
>            Reporter: Mitth'raw'nuruodo
>            Priority: Minor
>             Fix For: 2.0-rc2
>
>
> Unless specific steps are taken to filter log inputs, there may be a risk of CRLF injection, allowing an attacker to forge log entries: https://cwe.mitre.org/data/definitions/93.html
> This is not a critical vulnerability, but manually escaping/encoding/sanitising every instance of logging in a large application is impractical. Most applications have no need to output un-filtered line breaks, so they would benefit from a global option.
> Could the list of pattern converters be extended to include a modifier to say that whitespace should be normalised (as per Commons Lang {{StringUtils.normaliseSpace}})? Eg {{%_m}}
> Alternatively, it would be simple to implement a wrapper that would apply normalisation to the output of another layout, but it would be more difficult to configure such a wrapper in XML, and it would affect the entire log output, effectively obliterating all padding modifiers.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)