[
https://issues.apache.org/jira/browse/LOG4J2-439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bruce Brouwer updated LOG4J2-439:
---------------------------------
Attachment: EncodingPatternConverter.patch
I've attached a patch for EncodingPatternConverter and
EncodingPatternConverterTest
> Create a LogEventPatternConverter to escape newlines and HTML special
> characters
> --------------------------------------------------------------------------------
>
> Key: LOG4J2-439
> URL: https://issues.apache.org/jira/browse/LOG4J2-439
> Project: Log4j 2
> Issue Type: New Feature
> Components: Layouts
> Affects Versions: 2.0-beta9
> Reporter: Bruce Brouwer
> Attachments: EncodingPatternConverter.patch
>
>
> To prevent log forging and HTML based attacks from viewing logs in a browser,
> we could add a LogEventPatternConverter that escapes newlines and HTML
> special characters. [ESAPI has a method to do
> this|http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc7/apidocs/org/owasp/esapi/Logger.html],
> but it doesn't have any of the nice API features that Log4j 2 has.
> I was able to create a LogEventPatternConverter to do this. Note, this is
> only a proof of concept. I didn't try to exhaustively list all the special
> characters that might need to be replaced. I also didn't provide any
> configuration so we could choose to not escape HTML, for example.
> With this configuration:
> {code:xml}
> <PatternLayout pattern="%d %-5p [%t] %c %encode{%m}%n"/>
> {code}
> And logging this message:
> {code}
> LOG.warn("hi\n & <h1> there");
> {code}
> Would result in this being logged:
> {code}
> 2013-10-28 16:31:21,606 WARN [main] example.Test hi\n & <h1> there
> {code}
> instead of this (which shows the potential for log forging):
> {code}
> 2013-10-28 16:31:21,606 WARN [main] example.Test hi
> & <h1> there
> {code}
> This is roughly the code I used:
> {code}
> @Plugin(name = "escape", category = "Converter")
> @ConverterKeys({ "escape" })
> public final class EscapingReplacementConverter extends
> LogEventPatternConverter {
> private final List<PatternFormatter> formatters;
> private EscapingReplacementConverter(final List<PatternFormatter>
> formatters) {
> super("escape", "escape");
> this.formatters = formatters;
> }
> public static EscapingReplacementConverter newInstance(final
> Configuration config,
> final String[]
> options) {
> if (options.length != 1) {
> LOGGER.error("Incorrect number of options on escape. Expected 1,
> received "
> + options.length);
> return null;
> }
> if (options[0] == null) {
> LOGGER.error("No pattern supplied on escape");
> return null;
> }
> final PatternParser parser =
> PatternLayout.createPatternParser(config);
> final List<PatternFormatter> formatters = parser.parse(options[0]);
> return new EscapingReplacementConverter(formatters);
> }
> @Override
> public void format(final LogEvent event, final StringBuilder toAppendTo) {
> final StringBuilder buf = new StringBuilder();
> for (final PatternFormatter formatter : formatters) {
> formatter.format(event, buf);
> }
> toAppendTo.append(buf.toString()
> .replaceAll("\\r", "\\\\r")
> .replaceAll("\\n", "\\\\n")
> .replaceAll("&", "&")
> .replaceAll("<", "<")
> .replaceAll(">", ">"));
> }
> }
> {code}
> If this sounds good, I would like to hear feedback and ideas on how to make
> this better. I will then contribute this to the project. Do you think this
> could this get in 2.0?
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
