Bug #7375: Prevent spoofed logs in CentralLogger - Runtime Infrastructure - Golden Code Redmine

Bug #7375

Prevent spoofed logs in CentralLogger

Added by Galya B 12 months ago. Updated 12 months ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

Start date:

Due date:

% Done:

billable:

vendor_id:

GCD

case_num:

version:

Related issues

History

#1 Updated by Galya B 12 months ago

Outside code can use CentralLogger to create an instance of any com.goldencode or anonymous (root) logger and use it to log in the name of that logger pretending to be the original source of the message.

The flexibility of having multiple instances of the same logger is a basic feature in the Java logging framework that was implemented even better with CentralLogger allowing consistent behavior between instances and after garbage collection.

Classloaders allow replacing of classes, so in theory it should be difficult to confirm the source of a method call is the original FWD framework class, even if there is a check for the caller class.

If Java 11 modules are used to wrap all FWD classes and expose a Facade (or set of interfaces), then CentralLogger can be protected by exposing a wrapper factory that doesn't allow anonymous (root) loggers and verifies the name of the logger isn't from the com.goldencode package.

#2 Updated by Galya B 12 months ago

Related to Bug #5703: rationalize, standardize and simplify the client-side log file name configuration added

#3 Updated by Galya B 3 months ago

Related to Feature #6692: move FWD to Java 17 added

Also available in: Atom PDF

	Related to Runtime Infrastructure - Bug #5703: rationalize, standardize and simplify the client-side log file name configuration	Closed
	Related to Runtime Infrastructure - Feature #6692: move FWD to Java 17	Internal Test

Project

General

Profile

FWD » Core Development » Runtime Infrastructure

Issues