[LOG4J2-3250] Consider remove recursive replace for lookups - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.16.0
Fix Version/s: 2.17.0
Component/s: Core
Labels:
- security

Flags:

Important

Description

Log4j2 do recursive replace here:

https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047

It's danger if variable value comes from user input.
for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC, forged header 'User-Agent: ${sys:user.home}' will output actual user home not literal "${sys:user.home}", sensitive data may leak.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Yanming Zhou

Votes:: 2 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 17/Dec/21 02:07

Updated:: 20/Dec/21 01:25

Resolved:: 20/Dec/21 01:25