[jira] [Updated] (LOG4J2-2968) Placeholder with default value containing "}"
[
https://issues.apache.org/jira/browse/LOG4J2-2968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Donatien RIVIERE updated LOG4J2-2968:
-
Description:
StrSubstitutor does not properly handle a variable default value that contains
"}" character because it is interpreted as end of the variable default value.
However, this character is part of the pattern layout format, so it is very
common to expect defining a variable allowing to set a pattern, and fallback to
a default value containing this kind of character.
Example:
{code:yaml}
pattern: $\{env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
{code}
This pattern is interpreted as below which is obviously wrong (and not a valid
pattern format).
{code:java}
%date{DEFAULT %level %m%n}
{code}
It would be nice to be able to protected the default value with quotes or any
begin/end character.
Please find the JUnit test case in attachment.
was:
StrSubstitutor does not properly handle the variable default values that
contains "}" because it is interpreted as end of default value.
However, this character is part of the pattern layout format, so it is very
common to expect defining a variable allowing to set a pattern, and fallback to
the default value.
Example:
{code:yaml}
pattern: $\{env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
{code}
This pattern is interpreted as below which is obviously wrong (and not a valid
pattern format).
{code:java}
%date{DEFAULT %level %m%n}
{code}
It would be nice to be able to protected the default value with quotes or any
begin/end character.
Please find the JUnit test case in attachment.
> Placeholder with default value containing "}"
> -
>
> Key: LOG4J2-2968
> URL: https://issues.apache.org/jira/browse/LOG4J2-2968
> Project: Log4j 2
> Issue Type: Bug
> Components: Lookups
>Affects Versions: 2.14.0, 2.13.3
> Environment:
>Reporter: Donatien RIVIERE
>Priority: Major
> Attachments: StrSubstitutorPatternDefaultValueTest.java
>
>
> StrSubstitutor does not properly handle a variable default value that
> contains "}" character because it is interpreted as end of the variable
> default value.
> However, this character is part of the pattern layout format, so it is very
> common to expect defining a variable allowing to set a pattern, and fallback
> to a default value containing this kind of character.
> Example:
> {code:yaml}
> pattern: $\{env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
> {code}
> This pattern is interpreted as below which is obviously wrong (and not a
> valid pattern format).
> {code:java}
> %date{DEFAULT %level %m%n}
> {code}
> It would be nice to be able to protected the default value with quotes or any
> begin/end character.
> Please find the JUnit test case in attachment.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (LOG4J2-2968) Placeholder with default value containing "}"
[
https://issues.apache.org/jira/browse/LOG4J2-2968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Donatien RIVIERE updated LOG4J2-2968:
-
Description:
StrSubstitutor does not properly handle a variable default value that contains
"}" character because it is interpreted as end of the variable default value.
However, this character is part of the pattern layout format, so it is very
common to expect defining a variable allowing to set a pattern, and fallback to
a default value containing this kind of character.
Example:
{code:yaml}
pattern: ${env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
{code}
This pattern is interpreted as below which is obviously wrong (and not a valid
pattern format).
{code:java}
%date{DEFAULT %level %m%n}
{code}
It would be nice to be able to protected the default value with quotes or any
begin/end character.
Please find the JUnit test case in attachment.
was:
StrSubstitutor does not properly handle a variable default value that contains
"}" character because it is interpreted as end of the variable default value.
However, this character is part of the pattern layout format, so it is very
common to expect defining a variable allowing to set a pattern, and fallback to
a default value containing this kind of character.
Example:
{code:yaml}
pattern: $\{env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
{code}
This pattern is interpreted as below which is obviously wrong (and not a valid
pattern format).
{code:java}
%date{DEFAULT %level %m%n}
{code}
It would be nice to be able to protected the default value with quotes or any
begin/end character.
Please find the JUnit test case in attachment.
> Placeholder with default value containing "}"
> -
>
> Key: LOG4J2-2968
> URL: https://issues.apache.org/jira/browse/LOG4J2-2968
> Project: Log4j 2
> Issue Type: Bug
> Components: Lookups
>Affects Versions: 2.14.0, 2.13.3
> Environment:
>Reporter: Donatien RIVIERE
>Priority: Major
> Attachments: StrSubstitutorPatternDefaultValueTest.java
>
>
> StrSubstitutor does not properly handle a variable default value that
> contains "}" character because it is interpreted as end of the variable
> default value.
> However, this character is part of the pattern layout format, so it is very
> common to expect defining a variable allowing to set a pattern, and fallback
> to a default value containing this kind of character.
> Example:
> {code:yaml}
> pattern: ${env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
> {code}
> This pattern is interpreted as below which is obviously wrong (and not a
> valid pattern format).
> {code:java}
> %date{DEFAULT %level %m%n}
> {code}
> It would be nice to be able to protected the default value with quotes or any
> begin/end character.
> Please find the JUnit test case in attachment.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (LOG4J2-2968) Placeholder with default value containing "}"
Donatien RIVIERE created LOG4J2-2968:
Summary: Placeholder with default value containing "}"
Key: LOG4J2-2968
URL: https://issues.apache.org/jira/browse/LOG4J2-2968
Project: Log4j 2
Issue Type: Bug
Components: Lookups
Affects Versions: 2.13.3, 2.14.0
Environment:
Reporter: Donatien RIVIERE
Attachments: StrSubstitutorPatternDefaultValueTest.java
StrSubstitutor does not properly handle the variable default values that
contains "}" because it is interpreted as end of default value.
However, this character is part of the pattern layout format, so it is very
common to expect defining a variable allowing to set a pattern, and fallback to
the default value.
Example:
{code:yaml}
pattern: $\{env:MY_PATTERN:-%date{DEFAULT} %level %m%n}
{code}
This pattern is interpreted as below which is obviously wrong (and not a valid
pattern format).
{code:java}
%date{DEFAULT %level %m%n}
{code}
It would be nice to be able to protected the default value with quotes or any
begin/end character.
Please find the JUnit test case in attachment.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (LOG4J2-411) Support of XSD/DTD linked to the configuration file
[ https://issues.apache.org/jira/browse/LOG4J2-411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16344739#comment-16344739 ] Donatien RIVIERE commented on LOG4J2-411: - The main Log4j-config.xsd (that can be referenced using namespace catalog) does not include the Appenders definition (except for Console). So how to configure them, know the options and their documentation using IDE ? Is there any other XSD for those appenders ? After all this is the most complex / specific part ! > Support of XSD/DTD linked to the configuration file > --- > > Key: LOG4J2-411 > URL: https://issues.apache.org/jira/browse/LOG4J2-411 > Project: Log4j 2 > Issue Type: Wish > Components: Configurators >Affects Versions: 2.0-beta9 > Environment: Windows - OracleJDK 7/Linux - OpenJDK 7 >Reporter: Ladislav Jech >Priority: Minor > Labels: features > > It might be good idea to include and XSD reference inside of the xml > configuration file in a way as Maven does in pom.xml file, so the user can > use IDE suggestions (like Netbeans can do) to configure the logging system. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (LOG4J2-1863) Add support for filtering input in TcpSocketServer and UdpSocketServer
[
https://issues.apache.org/jira/browse/LOG4J2-1863?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16339319#comment-16339319
]
Donatien RIVIERE commented on LOG4J2-1863:
--
Log4j socket servers have been moved to "logging-log4j-tools" repository in a
"log4j-server" project since 2.9.0.
But this artifact "org.apache.logging.log4j:log4j-server" is not published to
any public maven repository, which makes it almost totally hidden, and unusable.
What is the plan about that ?
[https://git-wip-us.apache.org/repos/asf?p=logging-log4j-tools.git;a=tree;f=log4j-server;hb=HEAD]
> Add support for filtering input in TcpSocketServer and UdpSocketServer
> --
>
> Key: LOG4J2-1863
> URL: https://issues.apache.org/jira/browse/LOG4J2-1863
> Project: Log4j 2
> Issue Type: New Feature
> Components: Receivers
>Affects Versions: 2.8.1
>Reporter: Matt Sicker
>Assignee: Matt Sicker
>Priority: Major
> Fix For: 2.8.2
>
>
> It is best practice to add a configurable class filter to ObjectInputStream
> usage when input comes from untrusted sources. Add this feature to
> TcpSocketServer and UdpSocketServer along with sensible default settings.
> This feature is unnecessary in JmsServer as that relies on the underlying
> configuration of the JMS server (e.g., ActiveMQ has a similar configuration
> option).
> h3. Security Details
> {code}
> CVE-2017-5645: Apache Log4j socket receiver deserialization vulnerability
> Severity: High
> CVSS Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> Vendor: The Apache Software Foundation
> Versions Affected: all versions from 2.0-alpha1 to 2.8.1
> Description: When using the TCP socket server or UDP socket server to receive
> serialized log events from another application, a specially crafted binary
> payload can be sent that, when deserialized, can execute arbitrary code.
> Mitigation: Java 7+ users should migrate to version 2.8.2 or avoid using the
> socket server classes. Java 6 users should avoid using the TCP or UDP socket
> server classes, or they can manually backport the security fix from 2.8.2:
>
> Credit: This issue was discovered by Marcio Almeida de Macedo of Red Team at
> Telstra
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
