GitHub user ppkarwasz added a comment to the discussion: Threat model: how should Thread Context (MDC) keys be classified (trusted structural or untrusted content)?
> The cost argument also favors this: appenders already sanitize values in > structured layouts. Extending that to keys is a small and natural addition. Note that doing so might require the disclosure as vulnerabilities of some past bug fixes/hardenings to MDC key formatting. I am all for this proposal, but we'll need to double check the formatting of MDC keys and give a lower bound for the validity of the threat model. ### Historical context In apache/logging-site#10 I **did** propose MDC keys as untrusted input as a justification of CVE-2021-45046. However, as it turns out, that CVE resulted from: - the evaluation of MDC **values**, - the execution of remote classes, which is something Log4j is **not** supposed to do, even for trusted input. GitHub link: https://github.com/apache/logging-log4j2/discussions/4132#discussioncomment-17152818 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
