Details
-
New Feature
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
2.4.1
-
None
Description
Unless specific steps are taken to filter log inputs, there may be a risk of CRLF injection, allowing an attacker to forge log entries: https://cwe.mitre.org/data/definitions/93.html
This is not a critical vulnerability, but manually escaping/encoding/sanitising every instance of logging in a large application is impractical. Most applications have no need to output un-filtered line breaks, so they would benefit from a global option.
Could the list of pattern converters be extended to include a modifier to say that whitespace should be normalised (as per Commons Lang StringUtils.normaliseSpace)? Eg %_m
Alternatively, it would be simple to implement a wrapper that would apply normalisation to the output of another layout, but it would be more difficult to configure such a wrapper in XML, and it would affect the entire log output, effectively obliterating all padding modifiers.
Attachments
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is duplicated by
-
LOG4J2-2359 Safe multiline messages
-
- Resolved
-
- relates to
-
-
- Closed
-
- links to
