peval / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
0 stars 0 forks source link

Log4JLogger.java doesn't output correct file & line number because FQCN isn't forwarded to Log4J #268

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

1. Use Log4JLogger
        logger = Log4JLogger.getLogger(TestESAPIValidationPatterns.class);
        logger.warn("starting up");

2. In log4j.properties, use a conversion pattern with a file name and line 
number location, for example:
  log4j.appender.R.layout.ConversionPattern=[%d{ISO8601}]%5p%6.6r[%t]%x - %C.%M(%F:%L) - %m%n

3.  The log output will list the file & line number of the Log4JLogger class 
instead of the users class info.  This is incorrect, it should be the file and 
line number of the line that invoked Log4JLogger outside of the log package.  

What is the expected output? What do you see instead?

Existing output:

[2012-04-09 20:42:03,265] WARN 80511[main] - 
org.owasp.esapi.reference.Log4JLogger.log(Log4JLogger.java:449) - [EVENT 
UNSPECIFIED Anonymous:null@unknown -> 
/ExampleApplication/com.coraid.sm.cms.junit.TestESAPIValidationPatterns] 
starting up

Expected output:

[2012-04-09 20:42:03,265 WARN 80511[main] - 
com.coraid.sm.cms.junit.TestESAPIValidationPatterns.setup(TestESAPIValidationPat
terns.java:25) - [EVENT UNSPECIFIED Anonymous:null@unknown -> 
/ExampleApplication/com.coraid.sm.cms.junit.TestESAPIValidationPatterns] 
starting up

What version of the product are you using? On what operating system?

2.0.1 

Does this issue affect only a specified browser or set of browsers?

No

Please provide any additional information below.

The fix is in Log4JLogger.java in the log method which just needs an extra arg 
for the fully-qualified class name (FQCN) of the log wrapper.  This informs 
Log4J to continue up the stack past Log4JLogger wrapper when looking for the 
file name and line. 

Old:
        // log the message
        log(level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] " + clean, throwable);

New:  
        // log the message
        log(Log4JLogger.class.getName(), level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] " + clean, throwable);

Original issue reported on code.google.com by bschoeni on 10 Apr 2012 at 2:12

GoogleCodeExporter commented 9 years ago
see attached patch file

Original comment by bschoeni on 11 Apr 2012 at 11:47

Attachments:

GoogleCodeExporter commented 9 years ago
we do have this issue . Can you please the details on how did you resolve this 
issue.

Original comment by thiruthi...@gmail.com on 12 Jul 2014 at 12:14

GoogleCodeExporter commented 9 years ago
The fix is in Log4JLogger.java in the log method which just needs an
extra arg for the fully-qualified class name (FQCN) of the log
wrapper.  This informs Log4J to continue up the stack past Log4JLogger
wrapper when looking for the file name and line.

Old:
        // log the message
        log(level, "[" + typeInfo + getUserInfo() + " -> " + appInfo + "] "
+ clean, throwable);

New:
        // log the message
        log(Log4JLogger.class.getName(), level, "[" + typeInfo +
getUserInfo() + " -> " + appInfo + "] " + clean, throwable);

Original comment by bschoeni on 14 Jul 2014 at 7:21

GoogleCodeExporter commented 9 years ago
Hi,

I have fixed the issue following the ideas presented in the comments on this 
issue and created this pull request:

https://github.com/ESAPI/esapi-java-legacy/pull/342

Regards,
   Constantino

Original comment by const.cr...@gmail.com on 8 Dec 2014 at 6:36