ppkarwasz opened a new pull request, #38:
URL: https://github.com/apache/logging-site/pull/38

   Adds a Sinks section, the counterpart of the existing Sources section, 
closing the sink-side gap deferred in #32 ("active versus passive sinks, and 
downstream-destination trust").
   
   The section states three things:
   
   1. Sinks are the destinations an appender writes to. Unlike sources, which 
range from trusted configuration to untrusted content, every sink is 
operator-configured and therefore trusted, including destinations created 
dynamically at runtime (for example a Routing appender that interpolates a file 
path).
   
   2. Destination integrity is a deployer responsibility. An adversary who can 
write to a log destination, for example by planting a symbolic link where a 
file appender creates its output, can already tamper with the logs directly, so 
the frameworks do not defend a destination they were configured to trust. A 
report that assumes such write access is out of scope.
   
   3. A passive sink consumes our output as the format the layout produced, and 
we own the correctness of that format. An active sink re-interprets well-formed 
output in another language and acts on it (a terminal executing ANSI escape 
sequences, for example), which we do not own. The boundary is whether the 
framework emitted output malformed in its own format (ours to fix) or 
well-formed output that a sink chose to re-interpret (out of scope).
   
   The two worked examples are precedents: CVE-2025-54812 (Log4cxx HTML layout 
emitting malformed HTML) is a defect we published, while the class of 
CVE-2025-55754 (Apache Tomcat, ANSI escape sequences interpreted by a Windows 
console) is one we do not treat as a vulnerability.
   
   Dependent edits: the Log Injection threat now lists the HTML layout and 
cross-references the passive/active distinction; the out-of-scope adversary 
list adds the destination-write-access case and the active-sink 
re-interpretation case.
   
   This is normative and requires PMC review before merge.
   
   Assisted-By: Claude Opus 4.8 <[email protected]>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to