From: Chris Koeritz Date: Fri, 10 Dec 2021 22:28:39 +0000 (-0500) Subject: dropping flawed log4j jar and improving config X-Git-Tag: 2.140.131^2~1 X-Git-Url: https://feistymeow.org/gitweb/?p=feisty_meow.git;a=commitdiff_plain;h=b6a31e0e31b2fa661518b93e9a1801324d41c265 dropping flawed log4j jar and improving config the log4.properties now has mitigation of the bug spoken of here: https://news.ycombinator.com/item?id=29507263 --- diff --git a/kona/lib/full_jar_list.txt b/kona/lib/full_jar_list.txt new file mode 100644 index 00000000..06650da5 --- /dev/null +++ b/kona/lib/full_jar_list.txt @@ -0,0 +1,14 @@ +./commons-logging-api-1.1.1.jar +./SizeOf.jar +./commons-logging-1.1.1.jar +./commons-logging-adapters-1.1.1.jar +./log4j-1.2.16.jar +./org.eclipse.osgi_3.8.0.v20120529-1548.jar +./commons-compress-1.8.1.jar +./commons-io-2.4.jar +./ant-junit.jar +./commons-logging-1.1.1-sources.jar +./commons-logging-tests.jar +./commons-logging-1.1.1-javadoc.jar +./junit-4.5.jar +./commons-lang3-3.5.jar diff --git a/kona/lib/log4j-1.2.16.jar b/kona/lib/log4j-1.2.16.jar deleted file mode 100644 index 3f9d8476..00000000 Binary files a/kona/lib/log4j-1.2.16.jar and /dev/null differ diff --git a/kona/log4j.properties b/kona/log4j.properties index ef68572b..361aa578 100644 --- a/kona/log4j.properties +++ b/kona/log4j.properties @@ -5,7 +5,9 @@ log4j.rootCategory=, TTY, LOGFILE log4j.appender.TTY=org.apache.log4j.ConsoleAppender log4j.appender.TTY.Threshold=DEBUG log4j.appender.TTY.layout=org.apache.log4j.PatternLayout -log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n +log4j.appender.TTY.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n + +#NOTE: vulnerability with bare percent m style: https://news.ycombinator.com/item?id=29507263 # LOGFILE is set to be a RollingFileAppender using a PatternLayout. log4j.appender.LOGFILE=org.apache.log4j.RollingFileAppender @@ -14,5 +16,5 @@ log4j.appender.LOGFILE.MaxFileSize=10MB log4j.appender.LOGFILE.MaxBackupIndex=10 log4j.appender.LOGFILE.Threshold=DEBUG log4j.appender.LOGFILE.layout=org.apache.log4j.PatternLayout -log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m%n +log4j.appender.LOGFILE.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss.SSS} %-5p [%-28c{2}] - %m{nolookups}%n