dropping flawed log4j jar and improving config

[feisty_meow.git] / kona / log4j.properties

diff --git a/kona/log4j.properties b/kona/log4j.properties
index ef68572b65c76408607be4c244913b2889f61fe8..361aa5781b229d18d89702c38c3fe27d85a4825e 100644 (file)
--- a/kona/log4j.properties
+++ b/kona/log4j.properties
@@ -5,7 +5,9 @@ log4j.rootCategory=, TTY, LOGFILE
 log4j.appender.TTY=org.apache.log4j.ConsoleAppender\r
 log4j.appender.TTY.Threshold=DEBUG\r
 log4j.appender.TTY.layout=org.apache.log4j.PatternLayout\r
-log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n\r
+log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n\r
+\r
+#NOTE: vulnerability with bare percent m style: https://news.ycombinator.com/item?id=29507263\r
 \r
 # LOGFILE is set to be a RollingFileAppender using a PatternLayout.\r
 log4j.appender.LOGFILE=org.apache.log4j.RollingFileAppender\r
@@ -14,5 +16,5 @@ log4j.appender.LOGFILE.MaxFileSize=10MB
 log4j.appender.LOGFILE.MaxBackupIndex=10\r
 log4j.appender.LOGFILE.Threshold=DEBUG\r
 log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout\r
-log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n\r
+log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n\r
 \r