GitHub user ppkarwasz added a comment to the discussion: Threat model: how should Thread Context (MDC) keys be classified (trusted structural or untrusted content)?
Whether we escape keys or not is orthogonal to whether they are trusted or not. It only influences the classification of a formatting bug: it is either a normal bug or a vulnerability. GitHub link: https://github.com/apache/logging-log4j2/discussions/4132#discussioncomment-17152943 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
