Re^2: Log4Shell and Log::Log4perl

Replies are listed 'Best First'.
Re^3: Log4Shell and Log::Log4perl by Fletch (Bishop) on Dec 26, 2021 at 04:04 UTC
As noted in the docs it's possible to disable this behavior with: `Log::Log4perl::Config->allow_code(0);` [download] The cake is a lie. The cake is a lie. The cake is a lie.	[reply] [d/l]
Re^4: Log4Shell and Log::Log4perl by afoken (Chancellor) on Dec 28, 2021 at 13:54 UTC
As noted in the docs it's possible to disable this behavior with: `Log::Log4perl::Config->allow_code(0);` [download] So it's insecure by default. Not nice. And the same is true for the next documented feature, `Log::Log4perl::Config->allowed_code_ops(...)`. Quoting the documentation: By default, a value of '1' is assumed, which does a normal 'eval' without any restrictions. Insecure by default, you have to lock it down explicitly. Again, not nice. Alexander -- Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)	[reply] [d/l] [select]
Re^3: Log4Shell and Log::Log4perl by Perlbotics (Archbishop) on Dec 25, 2021 at 11:00 UTC
If you can modify the config, you can modify the rest of the application. True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges. The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.	[reply]
Re^4: Log4Shell and Log::Log4perl by etj (Priest) on Dec 26, 2021 at 01:39 UTC
True in Perl Do we agree that Log::Log4perl is Perl, though? unexpected or little known Log::Log4perl behaviour This doesn't seem to acknowledge your previous point that it's true in Perl.	[reply]