>From my recent browsing of the source, my understanding is that the JNDI specific defense mechanism will help you as JNDI is now opt-in. For many of us, we didn't want these lookups happening *on message text* (often containing user input) in the first place! That is a different defense mechanism added but is not applicable to you as you are expressly using them. Be mindful of where user input is coming from when you apply this logic.
~ David Smiley Apache Lucene/Solr Search Developer http://www.linkedin.com/in/davidwsmiley On Wed, Dec 22, 2021 at 5:25 AM Franz van Betteraey <fr...@van-betteraey.de> wrote: > Dear Log4j Team, > > first of all thank you for your tireless efforts around the project, > which I appreciate very much. > > My question is: Is it safe to call 'StrSubstitutor.replace(final > LogEvent event, final String source)' in a custom Layout class that > inherits from AbstractStringLayout? The StrSubstitutor object is derived > via the configuration and the 'source' string might contain any lookup > placeholder. > > It is not clear to me if the defense mechanisms against the current > security vulnerabilities take effect before such a call and prevents the > framework on calling this method, or if the call is still secure and the > defense happens afterwards (e.g. by not instantiating lookups). > > I thank you for any advice and wish you happy and peaceful holidays. > > Franz > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org > For additional commands, e-mail: log4j-user-h...@logging.apache.org > >
