[reload4j] SQL injection problem in JDBCAppender
Ceki Gülcü
ceki at qos.ch
Wed Jan 19 12:53:03 CET 2022
On 1/19/2022 11:22 AM, Vladimir Sitnikov wrote:
> There's a case when users can override JDBCAppender, and override its
> flushBuffer method.
>
> So removing the class would break "drop-in replacement"
> I would rather suggest doing the following:
> 1) Throw an exception from JDBCAppender#flushBuffer unless there's
> reload4.appender.jdbc.allow_insecure_sql_replace=true
How do you prevent SQL injection in the first place?
--
Ceki Gülcü
Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
More information about the reload4j
mailing list