[
https://issues.apache.org/jira/browse/LOG4J2-3258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17463006#comment-17463006
]
Ralph Goers commented on LOG4J2-3258:
-------------------------------------
I should also add that we discussed adding an annotation that would identify a
Lookup as Safe or Unsafe, but it really came down to it being acceptable for
users have their logging configuration fail due to misconfiguration but it was
not acceptable to have applications fail while running due to bad things being
passed into sensitive lookups like the ContextMapLookup. It is considered a
Log4j security defect to have any possibility of the app crash due to a stack
overflow by someone managing to craft an undetectable recursive lookup outside
the system and manage to get Log4j to process it. That is essentially what
CVE-2021-45105 is all about.
> RollingFile fileName containing variables does not work on 2.17.0
> -----------------------------------------------------------------
>
> Key: LOG4J2-3258
> URL: https://issues.apache.org/jira/browse/LOG4J2-3258
> Project: Log4j 2
> Issue Type: Bug
> Components: Appenders
> Affects Versions: 2.17.0
> Environment: Java 17, Ubuntu 20.04.
> Reporter: Konstantinos Liakos
> Priority: Major
>
> A configuration like the below has stopped working since 2.17.0. The
> variables that originate from <Properties> are not resolved to their actual
> values.
> {code:xml}
> <Property name="logs_dir">$${env:LOGS_DIRECTORY}</Property> {code}
> {code:xml}
> <RollingFile name="Rolling-${ctx:logFile}"
> fileName="${logs_dir}/${ctx:logFile}"{code}
>
> Works fine on 2.16.0.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
