-
1. Re: How slf4j-jboss works ?
jamezp Jan 30, 2013 2:08 PM (in response to yunshi)You should just need to use sfl4j in your application and not include any dependencies. The server should have all the required dependencies to make it work.
If you could explain a little about why you want to strip \n out of the log messages that might help a bit to find a solution. If it's as simple as only wanting \r then you can just change the pattern. If there's more to it, it's probably more appropriate to create a custom handler for it.
--
James R. Perkins
-
2. Re: How slf4j-jboss works ?
yunshi Jan 31, 2013 3:58 AM (in response to jamezp)Thanks James.
I want to strip \n and \r in order to avoid the log forging problem (http://www.jtmelton.com/2010/09/21/preventing-log-forging-in-java/).
Is it possible to strip out these chars in the pattern ?
-
3. Re: How slf4j-jboss works ?
sfcoy Jan 31, 2013 4:41 AM (in response to yunshi)This is the same problem as SQL injection and should be treated the same way.
ie. always validate all input from a web client.
-
4. Re: How slf4j-jboss works ?
yunshi Jan 31, 2013 5:38 AM (in response to sfcoy)Hi Stephen,
For the log foring, yes we could validate all input from a web client. But it seems more sure to also have a piece of code to make sure that the log cannot be forging.
-
5. Re: How slf4j-jboss works ?
sfcoy Jan 31, 2013 6:24 AM (in response to yunshi)SQL injection is a way more important problem, and if you deal with that properly you will not have any log forging issues.
Refer: http://xkcd.com/327/
-
6. Re: How slf4j-jboss works ?
sfcoy Jan 31, 2013 6:52 AM (in response to yunshi)And while we're on the subject *ALL* web developers should be thoroughly familiar with the OWASP Top Ten.
You will see that log forging does not rate an explicit mention, because it's well covered by other broader issues.
-
7. Re: How slf4j-jboss works ?
jamezp Jan 31, 2013 11:59 AM (in response to yunshi)No a pattern wouldn't fix that. You would need to use a custom handler, but at that point I would question why not just sanitize the parameters instead of attempting to do it in a logging framework? A filter might work as well, but to be honest the filter support in AS 7.1.x isn't the greatest. Just tested too and the replace filter is broken in 7.1.1.Final .
A side question have you ever seen an attack like this happen? How would the attacker know the format your logs are written out like?
--
James R. Perkins