New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify LogFormatUtils limitLength vs replaceNewlines parameters #27632
Comments
@mum-viadee thanks for you comment. This was an intentional change, adapting the existing method to the new, three argument, In the framework, this is used in codecs for varied output of the request or response body at DEBUG vs TRACE level. Is that where you are seeing the impact? |
I was searching for commits clarifying the impact of CVE-2021-22096 on our application. The commit looked like a fix for CR/LF injections. Therfore I was afraid, that this was a bug because it looked like the CR/LF were only removed when limitLength was true on the existing code. |
I think that there is other bug (change in behaviour) in the commit. Version before changeset truncate to size 100 only when limitLength was true: New version contains:
So it sets maxLength to 100 regardless of limitLength value, so it will truncate result in all cases for two parameters formatValue. Fix:
|
@senglu you're looking at an intermediate change. Currently (and in 5.3.12) it is this: spring-framework/spring-core/src/main/java/org/springframework/core/log/LogFormatUtils.java Line 46 in ff1485f
|
I've updated the Javadoc to make the intent more clear. @mum-viadee, thanks for feedback. For the future, please use the usual channels for security related concerns or issues. We don't discuss those in public. |
During the refactoring of the
LogFormatUtils
a potential bug has been introduced in 5.3.12 in commit 90fdcf8.The parameter
limitLength
in the methodformatValue(...)
is used when calling the overloaded method, but it is used for the parameterreplaceNewlines
that has a totally different meaning. This is on the one hand confusing and on the other hand could affect the fix for CVE-2021-22096The text was updated successfully, but these errors were encountered: