{"id":9902,"library":"logging-formatter-anticrlf","title":"Anti-CRLF Logging Formatter","description":"logging-formatter-anticrlf is a Python logging Formatter designed to prevent CRLF Injection (CWE-93 / CWE-117) by sanitizing log messages. It ensures that newline characters and other control characters are properly escaped or removed, mitigating the risk of log forging attacks. The current version is 1.2.1, and it maintains a focused feature set with stable, infrequent releases.","status":"active","version":"1.2.1","language":"en","source_language":"en","source_url":"https://github.com/darrenpmeyer/logging-formatter-anticrlf","tags":["logging","security","crlf-injection","cwe-93","cwe-117","formatter"],"install":[{"cmd":"pip install logging-formatter-anticrlf","lang":"bash","label":"Install stable release"}],"dependencies":[],"imports":[{"note":"The main formatter class is directly exposed at the top-level package for convenience, not within a sub-module like 'formatter'.","wrong":"from logging_formatter_anticrlf.formatter import AntiCRLFFormatter","symbol":"AntiCRLFFormatter","correct":"from logging_formatter_anticrlf import AntiCRLFFormatter"}],"quickstart":{"code":"import logging\nimport sys\nfrom logging_formatter_anticrlf import AntiCRLFFormatter\n\n# Configure the logger\nlogger = logging.getLogger(__name__)\nlogger.setLevel(logging.INFO)\n\n# Create a console handler\nhandler = logging.StreamHandler(sys.stdout)\nhandler.setLevel(logging.INFO)\n\n# Create an AntiCRLFFormatter and set it on the handler\n# The formatter will sanitize the message before output\nformatter = AntiCRLFFormatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')\nhandler.setFormatter(formatter)\n\n# Add the handler to the logger\nlogger.addHandler(handler)\n\n# Test messages with potential CRLF injection\nlogger.info(\"This is a safe log message.\")\nlogger.info(\"User input: %s\", \"username%0D%0Aevil_injection\")\nlogger.warning(\"Another line for a multi-line attack: %s\", \"value\\nmalicious\")\n\n# Expected output: Newlines and carriage returns will be replaced or escaped in the output.","lang":"python","description":"This quickstart demonstrates how to integrate `AntiCRLFFormatter` into a standard Python logging setup. It shows how to instantiate the formatter and apply it to a `StreamHandler` to sanitize log messages before they are written to the console, preventing CRLF injection."},"warnings":[{"fix":"Always pass potentially untrusted input via the message argument and its formatting arguments (e.g., `logger.info('User: %s', user_input)`). Ensure any custom formatters or handlers explicitly sanitize other log record attributes if they contain untrusted data.","message":"The `AntiCRLFFormatter` primarily sanitizes the `message` field (and its arguments) that are processed by the formatter. If sensitive user input is directly included in other log record attributes (e.g., via the `extra` dict for custom fields) and those attributes are formatted directly by handlers or custom formatters, CRLF injection might still be possible.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Combine `AntiCRLFFormatter` with a comprehensive security strategy, including robust input validation, secure system configurations, and appropriate access controls for log files and logging infrastructure.","message":"This formatter addresses CRLF injection on the *output* of log messages to a handler. It does not prevent other forms of log manipulation if the underlying logging system or storage mechanism is compromised, or if inputs are not properly validated *before* reaching the logger (e.g., if a database field storing log data already contains malicious content).","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-17T00:00:00.000Z","next_check":"2026-07-16T00:00:00.000Z","problems":[{"fix":"Install the package using pip: `pip install logging-formatter-anticrlf`","cause":"The `logging-formatter-anticrlf` library has not been installed in the current Python environment.","error":"ModuleNotFoundError: No module named 'logging_formatter_anticrlf'"},{"fix":"The `AntiCRLFFormatter` class is directly available at the top-level package: `from logging_formatter_anticrlf import AntiCRLFFormatter`","cause":"Attempting to import the `AntiCRLFFormatter` class from an incorrect sub-module path.","error":"AttributeError: module 'logging_formatter_anticrlf' has no attribute 'AntiCRLFFormatter'"}]}