From 45c90767ff697209c4e46581f796807c0093f527 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Thu, 2 Mar 2017 16:32:21 +1000 Subject: [PATCH] CMS.getLogMessage: escape format elements in arguments CMS.getLogMessage performs message formatting via MessageFormat, then the message gets logged via a Logger. The Logger also performs message formatting via MessageFormat. If the formatted log message contains '{' or '}' (e.g. if it contains JSON) the MessageFormat implementation interprets these as FormatElement delimiters and parsing fails. Update CMS.getLogMessage() to scan arguments for unsafe characters and if found, escape the whole message so that subsequent logging will succeed. Part of: https://pagure.io/dogtagpki/issue/1359 --- .../cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index 90ee8b90a4841ee79970c9b857b95468d7ecd2ec..31ec53f8aaeda818bf174111f115cf611267897c 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1592,7 +1592,21 @@ public class CMSEngine implements ICMSEngine { return msg; MessageFormat mf = new MessageFormat(msg); - return mf.format(params); + String escapedParams[] = new String[params.length]; + for (int i = 0; i < params.length; i++) + escapedParams[i] = escapeLogMessageParam(params[i]); + + return mf.format(escapedParams); + } + + /** Quote a string for inclusion in a java.text.MessageFormat + */ + private String escapeLogMessageParam(String s) { + if (s == null) + return null; + if (s.contains("{") || s.contains("}")) + return "'" + s.replaceAll("'", "''") + "'"; + return s; } public void debug(byte data[]) { -- 2.9.3