[Esapi-user] Esapi logging question

Jim Manico jim.manico at owasp.org
Mon Jan 18 20:00:05 EST 2010


Answering a off-list question to the lists:

> When Esapi boots, it prints the properties file, and some other
events, to System.out.

This is a significant security concern (ie: logging the master salt and
other security critical information). This section of the code has been
commented out in both branches. We will eventually let you turn this
back on via configuration. But for now, property file output during
config setup time is disabled.

During configuration start time, we still print to System.out
information regarding property file loading. We use a function called
"logSpecial" which just calls System.out.println for now - and this can
be changed if anyone has a better idea. :)

This happens here for the 1.4.2 branch
http://owasp-esapi-java.googlecode.com/svn/branches/1.4/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
- mainly:

public InputStream getResourceStream( String filename ) throws IOException {
+
private Properties loadPropertiesFromStream( InputStream is, String name ) throws IOException {


> Can you tell me where exactly the Esapi boot process begins - what class?
> Where the first call to ESAPI.setLogFactory happens?

Similar questions.  The bulk of the loading of implementations happens
in ESAPI.java.

As soon as you make any ESAPI call that requires a configuration
parameter, at that time it will try to load and cache property file
information . As soon as you call any ESAPI function - it will cache
that implementation as a static. In most every cases, this all happens
in one shot during server load time since logging and configuration are
inter wound into most reference implementation classes. setLogFactory is
called only then it's first used by your code, or another ESAPI
function. As PS: I want to drop the entire static method and move purely
to factories. Less performing but more scalable.

> Did you work with the logger in 1.4.2? Can I expect LogLevel=NONE to be respected?

I did not make any changes to the logging mechanism since 1.4.1rc1. If
anyone knows of any logging errors in 1.4.2, please let me know. I've
moved the entire build process more inline with 2.0. If 1.4.2 has any
critical errors due to this method, let me know, and I can churn out
1.4.3 fast.

-- 
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net


> I saw your changelog for 1.4.2 where you mention you removed calls to System.out. I won't get to see how
> that works for me until tomorrow.
> I'm talking about the logging that starts with
> ========Master Configuration========
>
>
> I've played with setting the loglevel to NONE in ESAPI.properties, but I find that has absolutely no effect.
> I know NONE isn't listed in the properties file, but I see it referenced in the code.
>
> My questions:
> Can you tell me where exactly the Esapi boot process begins - what class? 
> Where the first call to ESAPI.setLogFactory happens?
> Did you work with the logger in 1.4.2? Can I expect LogLevel=NONE to be respected?
>
> Thanks,
>
> Allan




More information about the Esapi-user mailing list