We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
It's possible for user to forge a log and insert random string in there. Like extra lines which looks like logs.
curl -k http://localhost:8080/login -H 'Content-Type':'application/x-www-form-urlencoded' -d 'username=not_valid_user, *********************************************** INJECT WHATEVER YOU WANT [2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit: PrincipalAuthenticationFailure ('null'): principal=not_valid_user, *********************************************** &password=pwd'
Things you see in logs:
[2017-07-20 23:14:32.116] uaa - 1179 [http-nio-8080-exec-5] .... DEBUG --- LdapAuthenticationProvider: Processing authentication request for user: not_valid_user, ************************************************************ INJECT WHATEVER YOU WANT [2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit: PrincipalAuthenticationFailure ('null'): principal=not_valid_user, ************************************************************ [2017-07-20 23:14:32.117] uaa - 1179 [http-nio-8080-exec-5] .... DEBUG --- FilterBasedLdapUserSearch: Searching for user 'not_valid_user ************************************************************ INJECT WHATEVER YOU WANT [2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit: PrincipalAuthenticationFailure ('null'): principal=not_valid_user, ************************************************************
It's not possible to add extra lines in logs
4.2.3
We changed the logging level for LdapAuthenticationProvider and FilterBasedLdapUserSearch to INFO to avoid printing username.
Thanks!
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Summary
It's possible for user to forge a log and insert random string in there. Like extra lines which looks like logs.
Actual Behavior
Things you see in logs:
Expected Behavior
It's not possible to add extra lines in logs
Version
4.2.3
Notes
We changed the logging level for LdapAuthenticationProvider and FilterBasedLdapUserSearch to INFO to avoid printing username.
Thanks!
The text was updated successfully, but these errors were encountered: