Hacker News new | past | comments | ask | show | jobs | submit login
Is your Python code vulnerable to log injection? – Arie Bovenberg (bovenberg.net)
23 points by rbanffy on Jan 5, 2022 | hide | past | favorite | 3 comments



they don't even address shell escape injection which is definitely possible...


I am not sure I follow. I can't find a scenario where the logged data would either be directly executed or would result in pulling attacker-specified data from the network.


Author here. I in my article I didn't touch on 'log poinsoning'[1], what they could be referring to.

Vulnerability to log poisoning really depends on _what_ you do with your logs. If you display them on a webpage, beware of XSS. And -- I suppose -- if you use them in shell commands, beware of shell command injection.

In the article my focus was on vulnerabilities specific to Python's logging library.

EDIT

as an added point: I don't think preventing log poisoning should be responsibility of the logger. It'd be madness to try and escape all possible bad interpretations (HTML, shell, SQL, etc) of the data. About as crazy as PHP's automatic escaping of strings...

[1] https://owasp.org/www-community/attacks/Log_Injection#code-e...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: