...
| Code Block |
|---|
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: david |
If the user name username that is used in a log message was not david, but rather something a multiline string like this:
| Code Block |
|---|
david May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log SEVERE: User login succeeded for: administrator |
...
This compliant solution sanitizes the user name username input before logging it, preventing injection. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
| Code Block | ||
|---|---|---|
| ||
if (!Pattern.matches("[A-Za-z0-9_]+", username)) {
// Unsanitized user nameusername
logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
logger.severe("User login succeeded for: " + username);
} else {
logger.severe("User login failed for: " + username);
}
|
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e2ad0ad092844822-47eed694-43e04bda-97fab542-b4ae969e67c89a3d580f4e93"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | "Injection [RST]" | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-144, "Improper Neutralization of Line Delimiters" | ||||
| CWE-150, "Improper Neutralization of Escape, Meta, or Control Sequences" |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8cae2715cfdaf2ec-cb7e74f6-40ff49ec-a895ba40-0a9813ea9c6592fda707df48"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | ]]></ac:plain-text-body></ac:structured-macro> |
...