[Esapi-user] [Esapi-dev] Esapi logging question

Craig Younkins craig.younkins at owasp.org
Sat Jan 23 17:53:39 EST 2010


Jim,

>> When Esapi boots, it prints the properties file, and some other
events, to System.out.

>This is a significant security concern (ie: logging the master salt and
other security critical information). This section of the code has been
commented out in both branches

Just wanted to point out that that code was designed to not disclose all
configuration variables. It would filter out any parameter with "Master" in
the name, so the MasterSalt has never (?) been printed during the parsing of
the configuration.

That being said, I don't think that was a great solution either. I would
love to see a boolean configuration variable indicating whether or not to
dump the configuration to the console AND a globbing configuration variable
indicating what to never print. Something like....

General.PrintConfiguration = true
General.NeverPrint = "Master*, General*"

Comments?

--

Craig Younkins
Website/Blog <http://cyounkins.blogspot.com/>

On Mon, Jan 18, 2010 at 8:00 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Answering a off-list question to the lists:
>
> > When Esapi boots, it prints the properties file, and some other
> events, to System.out.
>
> This is a significant security concern (ie: logging the master salt and
> other security critical information). This section of the code has been
> commented out in both branches. We will eventually let you turn this
> back on via configuration. But for now, property file output during
> config setup time is disabled.
>
> During configuration start time, we still print to System.out
> information regarding property file loading. We use a function called
> "logSpecial" which just calls System.out.println for now - and this can
> be changed if anyone has a better idea. :)
>
> This happens here for the 1.4.2 branch
>
> http://owasp-esapi-java.googlecode.com/svn/branches/1.4/src/main/java/org/owasp/esapi/reference/DefaultSecurityConfiguration.java
> - mainly:
>
> public InputStream getResourceStream( String filename ) throws IOException
> {
> +
> private Properties loadPropertiesFromStream( InputStream is, String name )
> throws IOException {
>
>
> > Can you tell me where exactly the Esapi boot process begins - what class?
> > Where the first call to ESAPI.setLogFactory happens?
>
> Similar questions.  The bulk of the loading of implementations happens
> in ESAPI.java.
>
> As soon as you make any ESAPI call that requires a configuration
> parameter, at that time it will try to load and cache property file
> information . As soon as you call any ESAPI function - it will cache
> that implementation as a static. In most every cases, this all happens
> in one shot during server load time since logging and configuration are
> inter wound into most reference implementation classes. setLogFactory is
> called only then it's first used by your code, or another ESAPI
> function. As PS: I want to drop the entire static method and move purely
> to factories. Less performing but more scalable.
>
> > Did you work with the logger in 1.4.2? Can I expect LogLevel=NONE to be
> respected?
>
> I did not make any changes to the logging mechanism since 1.4.1rc1. If
> anyone knows of any logging errors in 1.4.2, please let me know. I've
> moved the entire build process more inline with 2.0. If 1.4.2 has any
> critical errors due to this method, let me know, and I can churn out
> 1.4.3 fast.
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> OWASP ESAPI Project Manager
> http://www.manico.net
>
>
> > I saw your changelog for 1.4.2 where you mention you removed calls to
> System.out. I won't get to see how
> > that works for me until tomorrow.
> > I'm talking about the logging that starts with
> > ========Master Configuration========
> >
> >
> > I've played with setting the loglevel to NONE in ESAPI.properties, but I
> find that has absolutely no effect.
> > I know NONE isn't listed in the properties file, but I see it referenced
> in the code.
> >
> > My questions:
> > Can you tell me where exactly the Esapi boot process begins - what class?
> > Where the first call to ESAPI.setLogFactory happens?
> > Did you work with the logger in 1.4.2? Can I expect LogLevel=NONE to be
> respected?
> >
> > Thanks,
> >
> > Allan
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20100123/d6052303/attachment.html 


More information about the Esapi-user mailing list