[ https://issues.apache.org/jira/browse/LOG4J2-439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bruce Brouwer updated LOG4J2-439: --------------------------------- Attachment: EncodingPatternConverter.patch I've attached a patch for EncodingPatternConverter and EncodingPatternConverterTest > Create a LogEventPatternConverter to escape newlines and HTML special > characters > -------------------------------------------------------------------------------- > > Key: LOG4J2-439 > URL: https://issues.apache.org/jira/browse/LOG4J2-439 > Project: Log4j 2 > Issue Type: New Feature > Components: Layouts > Affects Versions: 2.0-beta9 > Reporter: Bruce Brouwer > Attachments: EncodingPatternConverter.patch > > > To prevent log forging and HTML based attacks from viewing logs in a browser, > we could add a LogEventPatternConverter that escapes newlines and HTML > special characters. [ESAPI has a method to do > this|http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/Logger.html], > but it doesn't have any of the nice API features that Log4j 2 has. > I was able to create a LogEventPatternConverter to do this. Note, this is > only a proof of concept. I didn't try to exhaustively list all the special > characters that might need to be replaced. I also didn't provide any > configuration so we could choose to not escape HTML, for example. > With this configuration: > {code:xml} > <PatternLayout pattern="%d %-5p [%t] %c %encode{%m}%n"/> > {code} > And logging this message: > {code} > LOG.warn("hi\n & <h1> there"); > {code} > Would result in this being logged: > {code} > 2013-10-28 16:31:21,606 WARN [main] example.Test hi\n & <h1> there > {code} > instead of this (which shows the potential for log forging): > {code} > 2013-10-28 16:31:21,606 WARN [main] example.Test hi > & <h1> there > {code} > This is roughly the code I used: > {code} > @Plugin(name = "escape", category = "Converter") > @ConverterKeys({ "escape" }) > public final class EscapingReplacementConverter extends > LogEventPatternConverter { > private final List<PatternFormatter> formatters; > private EscapingReplacementConverter(final List<PatternFormatter> > formatters) { > super("escape", "escape"); > this.formatters = formatters; > } > public static EscapingReplacementConverter newInstance(final > Configuration config, > final String[] > options) { > if (options.length != 1) { > LOGGER.error("Incorrect number of options on escape. Expected 1, > received " > + options.length); > return null; > } > if (options[0] == null) { > LOGGER.error("No pattern supplied on escape"); > return null; > } > final PatternParser parser = > PatternLayout.createPatternParser(config); > final List<PatternFormatter> formatters = parser.parse(options[0]); > return new EscapingReplacementConverter(formatters); > } > @Override > public void format(final LogEvent event, final StringBuilder toAppendTo) { > final StringBuilder buf = new StringBuilder(); > for (final PatternFormatter formatter : formatters) { > formatter.format(event, buf); > } > toAppendTo.append(buf.toString() > .replaceAll("\\r", "\\\\r") > .replaceAll("\\n", "\\\\n") > .replaceAll("&", "&") > .replaceAll("<", "<") > .replaceAll(">", ">")); > } > } > {code} > If this sounds good, I would like to hear feedback and ideas on how to make > this better. I will then contribute this to the project. Do you think this > could this get in 2.0? -- This message was sent by Atlassian JIRA (v6.1.5#6160) --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-dev-h...@logging.apache.org