garydgregory commented on pull request #644: URL: https://github.com/apache/logging-log4j2/pull/644#issuecomment-997897168
> > @quaff I don't think that fixes the same thing? This fix is trying to limit recursion depth in all cases, the fix you are linking disables recursion in some cases. > > Limiting max recursion depth doesn't need anymore, since v2.17.0 it only allow recursion lookup from configuration which is controlled by developer, It's safe enough since attacker cannot change your configuration file and restart your application, even if endless recursion introduced by accident, you will know at the startup time. We do want a limit when the feature is enabled. I will take a look later today. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
