Page History

...

Code Block
May 15, 2011 2:19:10 PM java.util.logging.LogManager$RootLogger log SEVERE: User login failed for: david

If the user name username that is used in a log message was not david, but rather something a multiline string like this:

Code Block
david May 15, 2011 2:25:52 PM java.util.logging.LogManager$RootLogger log SEVERE: User login succeeded for: administrator

...

This compliant solution sanitizes the user name username input before logging it, preventing injection. Refer to rule IDS00-J. Sanitize untrusted data passed across a trust boundary for more details on input sanitization.

Code Block

bgColor	#ccccff

if (!Pattern.matches("[A-Za-z0-9_]+", username)) {
  // Unsanitized user nameusername
  logger.severe("User login failed for unauthorized user");
} else if (loginSuccessful) {
  logger.severe("User login succeeded for: " + username);
} else {
  logger.severe("User login failed for: " + username);
}

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="58f788a4a102ff73-c82a6128-4f5741da-9435bfd8-bf5a986f629a0e5aedeeddd2"><ac:plain-text-body><![CDATA[	[ISO/IEC TR 24772:2010	http://www.aitcnet.org/isai/]	"Injection [RST]"	]]></ac:plain-text-body></ac:structured-macro>
MITRE CWE	CWE-144, "Improper Neutralization of Line Delimiters"
	CWE-150, "Improper Neutralization of Escape, Meta, or Control Sequences"

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="523feb88f0cb38c8-57983beb-41b34477-8a048052-0d0d2291877d5125b0b76b33"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

]]></ac:plain-text-body></ac:structured-macro>

...

Space shortcuts

Page tree

Versions Compared

Old Version 60

New Version 61

Key