From 1c567fc0fcc709cbcd0591423a0fb0f733c4c25c Mon Sep 17 00:00:00 2001 From: Robert Turner Date: Wed, 1 Nov 2017 20:53:24 -0400 Subject: [PATCH] LOG4J2-1203 Added Pattern encoding for CRLF only Added a Pattern encoding format limited to just CRLF for use cases where you do not want full HTML or JSON encoding, but do want to protected against CR and/or LF injection attacks in logs. --- .../log4j/core/pattern/EncodingPatternConverter.java | 19 +++++++++++++++++++ .../core/pattern/EncodingPatternConverterTest.java | 19 +++++++++++++++++++ src/site/xdoc/manual/layouts.xml.vm | 15 +++++++++++++-- 3 files changed, 51 insertions(+), 2 deletions(-) diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverter.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverter.java index 38605ea..9897e9d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverter.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverter.java @@ -153,6 +153,25 @@ public final class EncodingPatternConverter extends LogEventPatternConverter { } } } + }, + + CRLF { + @Override + void escape(final StringBuilder toAppendTo, final int start) { + for (int i = toAppendTo.length() - 1; i >= start; i--) { // backwards: length may change + final char c = toAppendTo.charAt(i); + switch (c) { + case '\r': + toAppendTo.setCharAt(i, '\\'); + toAppendTo.insert(i + 1, 'r'); + break; + case '\n': + toAppendTo.setCharAt(i, '\\'); + toAppendTo.insert(i + 1, 'n'); + break; + } + } + } }; /** diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverterTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverterTest.java index 0e4136a..57ecbb0 100644 --- a/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverterTest.java +++ b/log4j-core/src/test/java/org/apache/logging/log4j/core/pattern/EncodingPatternConverterTest.java @@ -67,4 +67,23 @@ public class EncodingPatternConverterTest { assertEquals(expected, sb.toString()); } + + @Test + public void testCrlfEscaping() { + final LogEvent event = Log4jLogEvent.newBuilder() // + .setLoggerName(EncodingPatternConverterTest.class.getName()) // + .setLevel(Level.DEBUG) // + .setMessage(new SimpleMessage("Test \r\n
this\r
& \n
that
")) + .build(); + final StringBuilder sb = new StringBuilder(); + final LoggerContext ctx = LoggerContext.getContext(); + final String[] options = new String[]{"%msg", "CRLF"}; + final EncodingPatternConverter converter = EncodingPatternConverter + .newInstance(ctx.getConfiguration(), options); + assertNotNull("Error creating converter", converter); + converter.format(event, sb); + assertEquals( + "Test \\r\\n
this\\r
& \\n
that
", + sb.toString()); + } } diff --git a/src/site/xdoc/manual/layouts.xml.vm b/src/site/xdoc/manual/layouts.xml.vm index 1e8cfb3..9d4cd31 100644 --- a/src/site/xdoc/manual/layouts.xml.vm +++ b/src/site/xdoc/manual/layouts.xml.vm @@ -780,8 +780,8 @@ WARN [main]: Message 2 - enc{pattern}{[HTML|JSON]}
- encode{pattern}{[HTML|JSON]} + enc{pattern}{[HTML|JSON|CRLF]}
+ encode{pattern}{[HTML|JSON|CRLF]}

@@ -841,6 +841,17 @@ WARN [main]: Message 2 For example, the pattern {"message": "%enc{%m}{JSON}"} could be used to output a valid JSON document containing the log message as a string value.

+

Using the CRLF encoding format, the following characters are replaced:

+ + + + + + + + + +
CharacterReplacement
'\r', '\n'Converted into escaped strings "\\r" and "\\n" respectively
-- 2.10.1