I am not sure I follow. I can't find a scenario where the logged data would either be directly executed or would result in pulling attacker-specified data from the network.
Author here. I in my article I didn't touch on 'log poinsoning'[1], what they could be referring to.
Vulnerability to log poisoning really depends on _what_ you do with your logs. If you display them on a webpage, beware of XSS. And -- I suppose -- if you use them in shell commands, beware of shell command injection.
In the article my focus was on vulnerabilities specific to Python's logging library.
EDIT
as an added point: I don't think preventing log poisoning should be responsibility of the logger. It'd be madness to try and escape all possible bad interpretations (HTML, shell, SQL, etc) of the data. About as crazy as PHP's automatic escaping of strings...
rbanffy|4 years ago
ariebovenberg|4 years ago
Vulnerability to log poisoning really depends on _what_ you do with your logs. If you display them on a webpage, beware of XSS. And -- I suppose -- if you use them in shell commands, beware of shell command injection.
In the article my focus was on vulnerabilities specific to Python's logging library.
EDIT
as an added point: I don't think preventing log poisoning should be responsibility of the logger. It'd be madness to try and escape all possible bad interpretations (HTML, shell, SQL, etc) of the data. About as crazy as PHP's automatic escaping of strings...
[1] https://owasp.org/www-community/attacks/Log_Injection#code-e...