Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #20988

Re: dependency injection and loggers

Show all headers | View raw

On 01/05/2013 12:33 AM, Wayne wrote:
> On 1/4/2013 10:27 PM, Arne Vajhøj wrote:
>> On 1/4/2013 12:18 PM, Kevin McMurtrie wrote:
>>> In article <kc6rjn$fl2$1@dont-email.me>,
>>>    markspace <markspace@nospam.nospam> wrote:
>>>>                                                        Absent some
>>>> other framework (AOP, for example, or some sort of annotation
>>>> processing), good old frameworks and libraries solve this problem.  Have
>>>> a look at Apache logging:
>>>>
>>>> <http://commons.apache.org/logging/>
>>>
>>> I'd say that Java's own logger (java.util.logging) is worth a look too
>>> if you want modularity.  It's easy to plug in custom formatters and
>>> handlers.
>>
>> log4j has more than jul.
>>
>> But if jul has sufficient, then it is obviously fine.
>>
>>>                                           My biggest peeve about most
>>> loggers is that they don't indent multi-line log entries nicely
>>
>> I would recommend avoiding multi-line entries completely.
>>
>> Arne
>>
>
> Arne is right.  Permitting multi-line log entries is a security
> hazard.  (It is safe to format log entries with multiple lines; but
> you need to sanitize user data (e.g., strip CR/LF) before including
> such data in your log messages.)
>
Errr, having multiline log entries is not a security hazard, not even 
remotely. Splunk certainly doesn't think so - that toolset has extensive 
configuration capabilities for handling multiline entries.

What *is* a hazard is if external input to a log entry, that might be 
maliciously seeded with linefeeds, is not sanitized/conditioned. Which 
is what you said. This is actually a CERT secure coding guideline. Point 
being, if you are controlling log entry input, and *you* want a 
linefeed, fill your boots. It's not insecure. Just don't let accidental 
or malicious ones be supplied across a trust boundary.

I do agree with Arne that multiline should be avoided. Mainly because 
it's a PITA. Not everyone is using Splunk.

AHS

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

dependency injection and loggers Tomer <tomerbd1@gmail.com> - 2013-01-04 04:00 -0800
  Re: dependency injection and loggers markspace <markspace@nospam.nospam> - 2013-01-04 07:13 -0800
    Re: dependency injection and loggers Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2013-01-04 09:18 -0800
      Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:27 -0500
        Re: dependency injection and loggers Wayne <nospam@all.invalid> - 2013-01-04 23:33 -0500
          Re: dependency injection and loggers Arved Sandstrom <asandstrom2@eastlink.ca> - 2013-01-05 11:55 -0400
            Re: dependency injection and loggers Kevin McMurtrie <mcmurtrie@pixelmemory.us> - 2013-01-05 10:01 -0800
              Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 15:17 -0500
              Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 16:37 -0500
        Re: dependency injection and loggers Lew <lewbloch@gmail.com> - 2013-01-05 12:24 -0800
          Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-05 16:41 -0500
    Re: dependency injection and loggers Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-01-04 10:31 -0800
      Re: dependency injection and loggers Lew <lewbloch@gmail.com> - 2013-01-04 11:36 -0800
        Re: dependency injection and loggers Daniel Pitts <newsgroup.nospam@virtualinfinity.net> - 2013-01-04 11:57 -0800
      Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:28 -0500
  Re: dependency injection and loggers Arne Vajhøj <arne@vajhoej.dk> - 2013-01-04 22:24 -0500

csiph-web