Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Re^2: Log4Shell and Log::Log4perl

by etj (Chaplain)
on Dec 24, 2021 at 19:23 UTC ( #11139875=note: print w/replies, xml ) Need Help??


in reply to Re: Log4Shell and Log::Log4perl
in thread Log4Shell and Log::Log4perl

If you can modify the config, you can modify the rest of the application. This doesn't seem like a meaningful point in discussing possible security flaws in any library?

Replies are listed 'Best First'.
Re^3: Log4Shell and Log::Log4perl
by Fletch (Bishop) on Dec 26, 2021 at 04:04 UTC

    As noted in the docs it's possible to disable this behavior with:

    Log::Log4perl::Config->allow_code(0);

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

      As noted in the docs it's possible to disable this behavior with:

      Log::Log4perl::Config->allow_code(0);

      So it's insecure by default. Not nice.

      And the same is true for the next documented feature, Log::Log4perl::Config->allowed_code_ops(...). Quoting the documentation:

      By default, a value of '1' is assumed, which does a normal 'eval' without any restrictions.

      Insecure by default, you have to lock it down explicitly. Again, not nice.

      Alexander

      --
      Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
Re^3: Log4Shell and Log::Log4perl
by Perlbotics (Bishop) on Dec 25, 2021 at 11:00 UTC

    If you can modify the config, you can modify the rest of the application.
    True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges.

    The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.

      True in Perl

      Do we agree that Log::Log4perl is Perl, though?

      unexpected or little known Log::Log4perl behaviour

      This doesn't seem to acknowledge your previous point that it's true in Perl.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://11139875]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others meditating upon the Monastery: (4)
As of 2022-06-27 10:38 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My most frequent journeys are powered by:









    Results (88 votes). Check out past polls.

    Notices?