<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0">
<base href="https://jira.qos.ch">
<title>Message Title</title>
</head>
<body class="jira" style="color: #333333; font-family: Arial, sans-serif; font-size: 14px; line-height: 1.429">
<table id="background-table" cellpadding="0" cellspacing="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; background-color: #f5f5f5; border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt" bgcolor="#f5f5f5">
<!-- header here -->
<tbody>
<tr>
<td id="header-pattern-container" style="padding: 0px; border-collapse: collapse; padding: 10px 20px">
<table id="header-pattern" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="header-avatar-image-container" valign="top" style="padding: 0px; border-collapse: collapse; vertical-align: top; width: 32px; padding-right: 8px" width="32"> <img id="header-avatar-image" class="image_fix" src="cid:jira-generated-image-avatar-bff17782-714d-4d44-a1ac-084e682d3592" height="32" width="32" border="0" style="border-radius: 3px; vertical-align: top"> </td>
<td id="header-text-container" valign="middle" style="padding: 0px; border-collapse: collapse; vertical-align: middle; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px"> <a class="user-hover" rel="michael-o" id="email_michael-o" href="https://jira.qos.ch/secure/ViewProfile.jspa?name=michael-o" style="color:#0052cc;; color: #3b73af; text-decoration: none">Michael Osipov</a> <strong>commented</strong> on <a href="https://jira.qos.ch/browse/LOGBACK-1591" style="color: #3b73af; text-decoration: none"><img src="cid:jira-generated-image-avatar-11eb340c-d884-4c9a-b7aa-5edfc7c69c58" height="16" width="16" border="0" align="absmiddle" alt="Bug"> LOGBACK-1591</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="email-content-container" style="padding: 0px; border-collapse: collapse; padding: 0 20px">
<table id="email-content-table" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; border-spacing: 0; border-collapse: separate">
<tbody>
<tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<td class="email-content-rounded-top mobile-expand" style="padding: 0px; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 15px; background-color: #ffffff; border-left: 1px solid #cccccc; border-top: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom: 0; border-top-right-radius: 5px; border-top-left-radius: 5px; height: 10px; line-height: 10px; padding: 0 15px 0 16px; mso-line-height-rule: exactly" height="10" bgcolor="#ffffff"> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff">
<table class="page-title-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td style="vertical-align: top;; padding: 0px; border-collapse: collapse; padding-right: 5px; font-size: 20px; line-height: 30px; mso-line-height-rule: exactly" class="page-title-pattern-header-container"> <span class="page-title-pattern-header" style="font-family: Arial, sans-serif; padding: 0; font-size: 20px; line-height: 30px; mso-text-raise: 2px; mso-line-height-rule: exactly; vertical-align: middle"> <a href="https://jira.qos.ch/browse/LOGBACK-1591" style="color: #3b73af; text-decoration: none">Re: Possibility of vulnerability </a> </span> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="text-paragraph-pattern-top" class="email-content-main mobile-expand comment-top-pattern" style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff; border-bottom: none; padding-bottom: 0" bgcolor="#ffffff">
<table class="text-paragraph-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 2px">
<tbody>
<tr>
<td class="text-paragraph-pattern-container mobile-resize-text " style="padding: 0px; border-collapse: collapse; padding: 0 0 10px 0"> <p style="margin: 10px 0 0 0; margin-top: 0">Something is really fishly here and both the report and fix are hasty. cn-panda is partially proving: Caution, water is wet! He processes unsanitized multipart input and persists to disk. This is <b>not</b> a Logback issue and I told him so, this is a general issue. Very very constructed since you need to start fuzzing for the logback config file. Morever this demo is incomplete because there is no code how launches the calculator. </p> <p style="margin: 10px 0 0 0">Anyway, the complete removal of the JNDI code is just wrong. It completely breaks valid usecases:</p>
<div class="code panel" style="border-width: 1px;; border: 1px solid #cccccc; background: #f5f5f5; font-size: 12px; line-height: 1.333; font-family: monospace; border: 1px solid #cccccc; -moz-border-radius: 3px 3px 3px 3px; border-radius: 3px 3px 3px 3px; margin: 9px 0">
<div class="codeContent panelContent" style="padding: 9px 12px">
<pre class="code-xml" style="margin: 10px 0 0 0; margin-top: 0; max-height: 30em; overflow: auto; white-space: pre-wrap; word-wrap: normal">
<span class="code-tag" style="color: #000091"><configuration></span>
<span class="code-tag" style="color: #000091"><insertFromJNDI env-entry-name=<span class="code-quote" style="color: #009100">"java:comp/env/context/baseName"</span> as=<span class="code-quote" style="color: #009100">"contextName"</span> /></span>
<span class="code-tag" style="color: #000091"><contextName></span>${contextName}<span class="code-tag" style="color: #000091"></contextName></span>
<appender name=<span class="code-quote" style="color: #009100">"FILE"</span>
class=<span class="code-quote" style="color: #009100">"ch.qos.logback.core.rolling.RollingFileAppender"</span>>
<span class="code-tag" style="color: #000091"><file></span>${catalina.base}/logs/${CONTEXT_NAME}.log<span class="code-tag" style="color: #000091"></file></span>
<span class="code-tag" style="color: #000091"><rollingPolicy class=<span class="code-quote" style="color: #009100">"ch.qos.logback.core.rolling.TimeBasedRollingPolicy"</span>></span>
<span class="code-tag" style="color: #000091"><span class="code-comment" style="color: #808080"><!-- daily rollover --></span></span>
<span class="code-tag" style="color: #000091"><fileNamePattern></span>${catalina.base}/logs/${CONTEXT_NAME}.log.%d.gz<span class="code-tag" style="color: #000091"></fileNamePattern></span>
<span class="code-tag" style="color: #000091"><maxHistory></span>30<span class="code-tag" style="color: #000091"></maxHistory></span>
<span class="code-tag" style="color: #000091"></rollingPolicy></span>
<span class="code-tag" style="color: #000091"><encoder></span>
<span class="code-tag" style="color: #000091"><pattern></span>%-27(%d{HH:mm:ss.SSS} [%.-12thread]) %-22([%.-20X{ad.displayName}]) %-5level %logger{36} - %msg%n<span class="code-tag" style="color: #000091"></pattern></span>
<span class="code-tag" style="color: #000091"></encoder></span>
<span class="code-tag" style="color: #000091"></appender></span>
<span class="code-tag" style="color: #000091"><root level=<span class="code-quote" style="color: #009100">"INFO"</span>></span>
<span class="code-tag" style="color: #000091"><appender-ref ref=<span class="code-quote" style="color: #009100">"FILE"</span> /></span>
<span class="code-tag" style="color: #000091"></root></span>
<span class="code-tag" style="color: #000091"></configuration></span>
</pre>
</div>
</div> <p style="margin: 10px 0 0 0">I would expect Logback to simply limit the JNDI namespace to <tt>java:</tt> which should be in the local VM and that's it. No more other URL providers, but local ones. Btw, this is actually contained in the fix in Log4J2.</p> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td class="email-content-main mobile-expand " style="padding: 0px; border-collapse: collapse; border-left: 1px solid #cccccc; border-right: 1px solid #cccccc; border-top: 0; border-bottom: 0; padding: 0 15px 0 16px; background-color: #ffffff" bgcolor="#ffffff">
<table id="actions-pattern" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 1px">
<tbody>
<tr>
<td id="actions-pattern-container" valign="middle" style="padding: 0px; border-collapse: collapse; padding: 10px 0 10px 24px; vertical-align: middle; padding-left: 0">
<table align="left" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td class="actions-pattern-action-icon-container" style="padding: 0px; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 0; vertical-align: middle"> <a href="https://jira.qos.ch/browse/LOGBACK-1591#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none"> <img class="actions-pattern-action-icon-image" src="cid:jira-generated-image-static-comment-icon-8533e313-733c-4e71-9c37-161a31a185e3" alt="Add Comment" title="Add Comment" height="16" width="16" border="0" style="vertical-align: middle"> </a> </td>
<td class="actions-pattern-action-text-container" style="padding: 0px; border-collapse: collapse; font-family: Arial, sans-serif; font-size: 14px; line-height: 20px; mso-line-height-rule: exactly; mso-text-raise: 4px; padding-left: 5px"> <a href="https://jira.qos.ch/browse/LOGBACK-1591#add-comment" target="_blank" title="Add Comment" style="color: #3b73af; text-decoration: none">Add Comment</a> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
<!-- there needs to be content in the cell for it to render in some clients -->
<tr>
<td class="email-content-rounded-bottom mobile-expand" style="padding: 0px; border-collapse: collapse; color: #ffffff; padding: 0 15px 0 16px; height: 5px; line-height: 5px; background-color: #ffffff; border-top: 0; border-left: 1px solid #cccccc; border-bottom: 1px solid #cccccc; border-right: 1px solid #cccccc; border-bottom-right-radius: 5px; border-bottom-left-radius: 5px; mso-line-height-rule: exactly" height="5" bgcolor="#ffffff"> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="footer-pattern" style="padding: 0px; border-collapse: collapse; padding: 12px 20px">
<table id="footer-pattern-container" cellspacing="0" cellpadding="0" border="0" style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="footer-pattern-text" class="mobile-resize-text" width="100%" style="padding: 0px; border-collapse: collapse; color: #999999; font-size: 12px; line-height: 18px; font-family: Arial, sans-serif; mso-line-height-rule: exactly; mso-text-raise: 2px"> This message was sent by Atlassian Jira <span id="footer-build-information">(v8.8.0#808000-<span title="e2c7e59ae165efc6ad6b529150e24d091b9947bf" data-commit-id="e2c7e59ae165efc6ad6b529150e24d091b9947bf}">sha1:e2c7e59</span>)</span> </td>
<td id="footer-pattern-logo-desktop-container" valign="top" style="padding: 0px; border-collapse: collapse; padding-left: 20px; vertical-align: top">
<table style="border-collapse: collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt">
<tbody>
<tr>
<td id="footer-pattern-logo-desktop-padding" style="padding: 0px; border-collapse: collapse; padding-top: 3px"> <img id="footer-pattern-logo-desktop" src="https://jira.qos.ch/images/mail/atlassian-email-logo.png" alt="Atlassian logo" title="Atlassian logo" width="191" height="24" class="image_fix"> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table>
</body>
</html>