GitHub user stechio edited a comment on the discussion: log4j-script: what about security?
Thank you, @ppkarwasz, for the clear picture of the overall security assumptions backing the logging framework: so, to my understanding, log4j sensibly demarcates its own responsibility in the handling of log data (messages, string representation of parameters, thread contexts), whilst the safety of the execution environment and its resources is up to the administrators and application developers (trusted users) :thumbsup: My doubts originated from the dated model used by other projects out there, which tends to put on the application level the burden of untrusted code, isolating extensions/plugins in some kind of sandbox, as a complement to the now-deprecated native java security manager. (I don't have a particular use case to share, I was just contemplating the use of scripting to customize the logging configuration in a generic deployment scenario.) GitHub link: https://github.com/apache/logging-log4j2/discussions/3894#discussioncomment-14196398 ---- This is an automatically sent email for dev@logging.apache.org. To unsubscribe, please send an email to: dev-unsubscr...@logging.apache.org
