Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #20992

Re: dependency injection and loggers

From Kevin McMurtrie <mcmurtrie@pixelmemory.us>
Newsgroups comp.lang.java.programmer
Subject Re: dependency injection and loggers
References (1 earlier) <kc6rjn$fl2$1@dont-email.me> <50e70f03$0$80098$742ec2ed@news.sonic.net> <50e79d8e$0$281$14726298@news.sunsite.dk> <50e7acef$0$10669$9a6e19ea@unlimited.newshosting.com> <H1YFs.44812$On7.35207@newsfe16.iad>
Date 2013-01-05 10:01 -0800
Message-ID <50e86a74$0$80158$742ec2ed@news.sonic.net> (permalink)
Organization Sonic.Net

Show all headers | View raw

In article <H1YFs.44812$On7.35207@newsfe16.iad>,
 Arved Sandstrom <asandstrom2@eastlink.ca> wrote:

> On 01/05/2013 12:33 AM, Wayne wrote:
> > On 1/4/2013 10:27 PM, Arne Vajhøj wrote:
> >> On 1/4/2013 12:18 PM, Kevin McMurtrie wrote:
> >>> In article <kc6rjn$fl2$1@dont-email.me>,
> >>>    markspace <markspace@nospam.nospam> wrote:
> >>>>                                                        Absent some
> >>>> other framework (AOP, for example, or some sort of annotation
> >>>> processing), good old frameworks and libraries solve this problem.  Have
> >>>> a look at Apache logging:
> >>>>
> >>>> <http://commons.apache.org/logging/>
> >>>
> >>> I'd say that Java's own logger (java.util.logging) is worth a look too
> >>> if you want modularity.  It's easy to plug in custom formatters and
> >>> handlers.
> >>
> >> log4j has more than jul.
> >>
> >> But if jul has sufficient, then it is obviously fine.
> >>
> >>>                                           My biggest peeve about most
> >>> loggers is that they don't indent multi-line log entries nicely
> >>
> >> I would recommend avoiding multi-line entries completely.
> >>
> >> Arne
> >>
> >
> > Arne is right.  Permitting multi-line log entries is a security
> > hazard.  (It is safe to format log entries with multiple lines; but
> > you need to sanitize user data (e.g., strip CR/LF) before including
> > such data in your log messages.)
> >
> Errr, having multiline log entries is not a security hazard, not even 
> remotely. Splunk certainly doesn't think so - that toolset has extensive 
> configuration capabilities for handling multiline entries.
> 
> What *is* a hazard is if external input to a log entry, that might be 
> maliciously seeded with linefeeds, is not sanitized/conditioned. Which 
> is what you said. This is actually a CERT secure coding guideline. Point 
> being, if you are controlling log entry input, and *you* want a 
> linefeed, fill your boots. It's not insecure. Just don't let accidental 
> or malicious ones be supplied across a trust boundary.
> 
> I do agree with Arne that multiline should be avoided. Mainly because 
> it's a PITA. Not everyone is using Splunk.
> 
> AHS

There's absolutely nothing wrong with multi-line log messages.  This 
brings me around to many loggers not formatting correctly.  It should be 
something safe and easy to read like this:

YYYY/MM/DD META META META Log message line one
   Log message line two
   Log message line three
   Log message line four

This makes stack traces and long diagnostic messages look good while 
also preventing log spoofing.  A spoof attempt would look like:

YYYY/MM/DD META META META Malicious message line one
   YYYY/MM/DD META META META Malicious message line two

That second line isn't fooling anything because it starts with a TAB 
character.  This feature belongs in the log formatter so it's not 
junking up the rest of the codebase.
-- 
I will not see posts from Google because I must filter them as spam

Back to comp.lang.java.programmer | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

dependency injection and loggers Tomer <tomerbd1@gmail.com> - 2013-01-04 04:00 -0800
  Re: dependency injection and loggers markspace <markspace@nospam.nospam> - 2013-01-04 07:13 -0800
    Re: dependency injection and loggers Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2013-01-04 09:18 -0800
      Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:27 -0500
        Re: dependency injection and loggers Wayne <nospam@all.invalid> - 2013-01-04 23:33 -0500
          Re: dependency injection and loggers Arved Sandstrom <asandstrom2@eastlink.ca> - 2013-01-05 11:55 -0400
            Re: dependency injection and loggers Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2013-01-05 10:01 -0800
              Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 15:17 -0500
              Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 16:37 -0500
        Re: dependency injection and loggers Lew <lewbloch@gmail.com> - 2013-01-05 12:24 -0800
          Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 16:41 -0500
    Re: dependency injection and loggers Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-01-04 10:31 -0800
      Re: dependency injection and loggers Lew <lewbloch@gmail.com> - 2013-01-04 11:36 -0800
        Re: dependency injection and loggers Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-01-04 11:57 -0800
      Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:28 -0500
  Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:24 -0500

csiph-web