Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log4j: Sanitize Log Parameters Created from User Input #1814

Closed
lastzero opened this issue Dec 14, 2021 · 1 comment
Closed

Log4j: Sanitize Log Parameters Created from User Input #1814

lastzero opened this issue Dec 14, 2021 · 1 comment
Assignees
Labels
enhancement Refactoring, improvement or maintenance task released Available in the stable release security Impact on server or browser security

Comments

@lastzero
Copy link
Member

lastzero commented Dec 14, 2021

Even though PhotoPrism is not directly affected by the Log4j debacle:

  • Log messages may contain parameters created from user input like photo & album titles
  • We should do our best to remove potentially problematic strings

More information on the Apache Log4j vulnerability:

@lastzero lastzero added the enhancement Refactoring, improvement or maintenance task label Dec 14, 2021
@lastzero lastzero self-assigned this Dec 14, 2021
@lastzero lastzero added the security Impact on server or browser security label Dec 14, 2021
@lastzero lastzero added the please-test Ready for acceptance test label Dec 14, 2021
@lastzero
Copy link
Member Author

Released! Please report any unintended side effects so that we can improve the input validation if needed 👍

@lastzero lastzero added released Available in the stable release and removed please-test Ready for acceptance test labels Dec 16, 2021
@lastzero lastzero changed the title Log4j: Sanitize Log Parameters Created from User Input Log4j: Sanitize User Input and Log Parameters Dec 16, 2021
@lastzero lastzero changed the title Log4j: Sanitize User Input and Log Parameters Log4j: Sanitize Log Parameters Created from User Input Dec 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Refactoring, improvement or maintenance task released Available in the stable release security Impact on server or browser security
Projects
Status: Release 🌈
Development

No branches or pull requests

1 participant