Eccenux opened a new issue, #3526:
URL: https://github.com/apache/logging-log4j2/issues/3526
## Description
Seems like a star character ("*") is expanded into a directory listing.
Might be a security I guess, but I don't think so. It's definitely an annoyance.
## Configuration
**Version:** 2.24.3
[INFO] +- org.apache.logging.log4j:log4j-slf4j2-impl:jar:2.24.3:compile
[INFO] | +- (org.apache.logging.log4j:log4j-api:jar:2.24.3:compile -
omitted for duplicate)
[INFO] | +- org.slf4j:slf4j-api:jar:2.0.16:compile
[INFO] | \- (org.apache.logging.log4j:log4j-core:jar:2.24.3:runtime -
omitted for duplicate)
**Operating system:** Ubuntu 22.04.4 LTS
(also happens on different test sever with later Ubuntu 22.04)
(on Windows11 it seems fine)
**JDK:** Adoptium JDK: OpenJDK Runtime Environment Temurin-17.0.6+10 (build
17.0.6+10)
(same on later Adoptium build: 17.0.11+9)
## Logs
Expected log
```
2025-03-10 15:50:56.0374 INFO :
com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
* * * (nux)
```
Actual log contains directory listing:
```
2025-03-10 12:46:09.0969 INFO :
com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... \
bin BUILDING.txt conf CONTRIBUTING.md ... (nux)
```
This varies from server to server, but might be a `/root/` listing (on some
test VMs) or tomcat directory listing (as in the example above).
## Reproduction
A minimized code (from actual service code):
```java
package com.example.core.privateservice;
import javax.annotation.PostConstruct;
import org.springframework.stereotype.Component;
import org.springframework.beans.factory.annotation.Value;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@Component
public class HiddenEntryScheduler {
private static final Logger LOG =
LoggerFactory.getLogger(HiddenEntryScheduler.class);
// daily (late evening)
//@Value("${cron.hiddenentry.sync.cron:Rand60 Rand60 22 * * *}")
@Value("${cron.hiddenentry.sync.cron:12 34 22 * * *}")
private String cronExpression;
@PostConstruct
private void initialize() {
String tenant = "nux";
String dynamicCronExpression;
dynamicCronExpression = cronExpression;
LOG.info("Initialized cron for index-sync: {} ({})",
dynamicCronExpression, tenant);
}
}
```
Actual code is not much larger. Normally "Rand60" seen in the comment is
dynamically replaced with a random number between 0-60.
But effectively that should simply be:
```java
private static final Logger LOG =
LoggerFactory.getLogger(HiddenEntryScheduler.class);
@PostConstruct
private void initialize() {
LOG.info("Initialized cron for index-sync: 12 34 22 * * *
(nux)");
}
```
## Additional notes
I did try to add the old NoLookups thing, but that didn't help:
```java
System.setProperty("log4j2.formatMsgNoLookups", "true");
```
I'm not quite sure if the option is still relevant. [Looking at current code
it doesn't seem like it
is](https://github.com/apache/logging-log4j2/blob/23290e480d7c9146af962d1a3707ab7b06648894/log4j-core/src/main/java/org/apache/logging/log4j/core/pattern/MessagePatternConverter.java#L89).
Some docs still mention `m{lookups}`:
https://logging.apache.org/log4j/2.x/manual/pattern-layout.html#converter-message
I did also check and the `@Value` does not expand the asterisk/star. When I
do this:
```java
LOG.info("Initialized cron for index-sync: {} ({})",
dynamicCronExpression.replace("*", "[any]"), tenant);
```
The message is:
```
2025-03-10 14:51:49.0943 INFO :
com.e.cor.privateservice.HiddenEntryScheduler Initialized cron for index-sync: \
12 34 22 \
[any] [any] [any] (nux)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
