[
https://issues.apache.org/jira/browse/KARAF-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17296023#comment-17296023
]
ASF GitHub Bot commented on KARAF-7061:
---------------------------------------
jbonofre opened a new pull request #1318:
URL: https://github.com/apache/karaf/pull/1318
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Add default message escaping for Log4J2 configuration to help prevent log
> injection attacks
> -------------------------------------------------------------------------------------------
>
> Key: KARAF-7061
> URL: https://issues.apache.org/jira/browse/KARAF-7061
> Project: Karaf
> Issue Type: Improvement
> Components: karaf
> Affects Versions: 4.3.0, 4.2.10
> Reporter: Serge Huber
> Assignee: Jean-Baptiste Onofré
> Priority: Major
>
> As recommended in
> https://www.linuxsecrets.com/owasp-wiki/index.php/Injection_Prevention_Cheat_Sheet_in_Java.html#Example_using_Log4j2
> to prevent log injections of CRLF or HTML code (which could be exploited if
> the logs are displayed in an HTML page), we should change the default log4j2
> pattern in Karaf from:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %m%n
> {code}
> to something like this:
> {code}
> log4j2.pattern = %d{ISO8601} | %-5p | %-16t | %-32c{1} | %X{bundle.id} -
> %X{bundle.name} - %X{bundle.version} | %encode{%.-500m}%n
> {code}
> See :
> This would limit the message to 500 characters to prevent sending huge
> messages and will turn on the default HTML escaping which escapes for CRLF
> and any HTML tags such as <script>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
