Dear Log4j Team, first of all thank you for your tireless efforts around the project, which I appreciate very much.
My question is: Is it safe to call 'StrSubstitutor.replace(final LogEvent event, final String source)' in a custom Layout class that inherits from AbstractStringLayout? The StrSubstitutor object is derived via the configuration and the 'source' string might contain any lookup placeholder. It is not clear to me if the defense mechanisms against the current security vulnerabilities take effect before such a call and prevents the framework on calling this method, or if the call is still secure and the defense happens afterwards (e.g. by not instantiating lookups). I thank you for any advice and wish you happy and peaceful holidays. Franz --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
