...
Logging unsanitized user input can also result in leaking sensitive data across a trust boundary , or storing sensitive data in a manner that violates local law or regulation. For example, if a user can inject an unencrypted credit card number into a log file, the system could violate PCI DSS (Payment Card Industry Data Security Standard) regulations [PCI 2010]. See rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
...
This compliant solution just validates the username input before logging it, preventing injection attacks. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.
...
| Tool | Version | Checker | Description | |
|---|---|---|---|---|
| KlocworkFortify | SVLOGLog_FORGINGForging | ImplementedFortify | ||
| Klocwork | Log | SVLOG_ | ForgingFORGING | Implemented |
Related Guidelines
Injection [RST] | |||
CWE-144. , Improper neutralization of line delimiters |
| CWE-150. , Improper neutralization of escape, meta, or control sequences |
...