2

i'm trying to fix the CRLF vulnerability on my application logger im currently logging my http request Path is there a way to validate this one? to remove any CR LF injection on my request Path im currently using c# as my programming language

this is my core code when logging error

 _logger.LogInformation(e, "InactiveTenantException caught during api request {RequestPath} {Tenant} {User}", context.Request.Path, currentUser?.Tenant, currentUser?.LoginEmail);

note. currently using Microsoft.Extensions.Logging as my logging tool

4

1 回答 1

2

Since you are using PathString that is returned by HttpContext.Request.Path you are getting an escaped string:

the path string escaped in a way which is correct for combining into the URI representation

Thus, there shouldn't be CRLF vulnerability in your code.

If you will make a request like /foo%5Cnbar wich is encoded /foo\nbar then you will get /foo%5Cnbar istead of two lines in your log file.

于 2018-04-02T10:35:26.237 回答