srdo commented on pull request #644: URL: https://github.com/apache/logging-log4j2/pull/644#issuecomment-997693611
You are right that 3230 fixes the vulnerability, I'm not opening this PR to fix a known problem. I'm coming at this from the point of view that if there is no reason to allow infinite recursion (which I don't think there is), it should not be possible at all. I think this is safer than allowing infinite recursion in some cases, when it is not needed. This will also make it safer to use the substitutor in future code, since it is not as dangerous if you accidentally allow recursion somewhere an attacker could insert a string. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
