ponder275 :
We have a method which we use to log java exceptions in a log file. The method allows the caller to pass variables they wish to be shown in the log message for debugging purposes and uses inserts blank lines and tabs to make the message stand out and be more readable.
However, all of the recommendations I see to prevent Log Forging attacks recommend stripping all of the CRLF's out of the logging message.
Is it considered bad practice to have CRLF's in a logging message? This method is only used internally and any user supplied information can be sanitized before being passed to the method.
radai :
generally - yes.
while this seems a nice feature at first glance, you should consider the following potential complications:
- depending on exactly how this is implemented, if you hand the underlying logging framework multiple lines as multiple logging invocations your statement could get interleaved with other concurrent logging statements, making the resulting log less readable
- various log-parsing tools tend to assume one line == one statement. most know how to account for exception stack traces (that are multi line) but not much beyond, so you may find yourself having to delve into things like ELK stack / loggly configs to teach it about your fancy multiline statements.
- complications around terminals with different widths (if youre printing to console)
Guess you like
Origin http://43.154.161.224:23101/article/api/json?id=310489&siteId=1