[
https://issues.apache.org/jira/browse/LOG4J2-3230?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462827#comment-17462827
]
Jon Bristow commented on LOG4J2-3230:
-------------------------------------
[~marioja] : it looks like the chief difference is the flag
"substitutionInVariablesEnabled" is false by default in 2.3 and true in 2.15.0.
I can't figure out how to get a log4j config to turn it off or on, but I assume
it _could_ be.
Using this code, I can cause an exception to occur in 2.3 AND 2.16.0: (But not
2.17.0)
{code:java}
final org.apache.logging.log4j.core.lookup.StrSubstitutor substitutor = new
StrSubstitutor();
substitutor.setEnableSubstitutionInVariables(true);
final String replaced = substitutor.replace("Malicious log attempt C
${${::-${::-$${::-j}}}}");
System.err.println(replaced);{code}
The javadoc implies there's a way to flip that flag via config, but I've got
another obligation that I have to attend to that is preventing me from digging
farther to find the specific mechanism.
> Certain strings can cause infinite recursion
> --------------------------------------------
>
> Key: LOG4J2-3230
> URL: https://issues.apache.org/jira/browse/LOG4J2-3230
> Project: Log4j 2
> Issue Type: Bug
> Components: Core
> Affects Versions: 2.8, 2.8.1, 2.8.2, 2.9.0, 2.9.1, 2.10.0, 2.11.0, 2.11.1,
> 2.11.2, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.13.2, 2.14.0, 2.13.3, 2.14.1,
> 2.15.0, 2.16.0
> Reporter: Ross Cohen
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.17.0
>
> Attachments: sample.tar.gz
>
>
> If a string substitution is attempted for any reason on the following string,
> it will trigger an infinite recursion, and the application will crash:
> ${${::\-${::\-$${::\-j}}}}.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
