Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
2.11.1
-
None
Description
Per: https://logging.apache.org/log4j/log4j-2.8/manual/layouts.html - there is a new encoding scheme introduced in 2.10.0 (by https://issues.apache.org/jira/browse/LOG4J2-1203) that allows users to encode plain logging output with enc{pattern}{CRLF} to avoid Log Injection attacks (https://www.owasp.org/index.php/Log_Injection). While it is great to have this available, most developers won't be aware of the risk of Log Injection so won't do anything about it.
I recommend that Log4J2 enable this encoding by default if no other encoding scheme is specified. It shouldn't hurt plain text logging by defending against this attack automatically. However, to allow people to disable it in case they really don't want this I suggest creating an encoding scheme like {NONE} that explicitly disables this new default behavior which people can use to turn it off.
Attachments
Issue Links
- is related to
-
LOG4J2-3037 Add methods for logging untrusted arguments
- Open