[KARAF-6353] Sanitize ShutdownSocketThread command log - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.3.0, 4.2.7
Component/s: karaf
Labels:
None

Description

In ShutdownSocketThread it logs an unsucessful command with:

 LOG.log(Level.WARNING, "Karaf shutdown socket:  Invalid command '" +
                                      command.toString() + "' received");

Here we should make sure to sanitize the command.toString() output, as otherwise it gives an attacker the opportunity to pollute the logs with CRLF characters.

Attachments

Issue Links

links to

GitHub Pull Request #933

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Colm O hEigeartaigh

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 07/Jul/19 09:51

Updated:: 11/Sep/19 16:57

Resolved:: 11/Sep/19 16:57