srdo commented on pull request #644: URL: https://github.com/apache/logging-log4j2/pull/644#issuecomment-998546015
@carterkozak An issue like 3230 would have been much less serious if the substitutor weren't capable of infinite recursion. This is an attempt at harm reduction in case an issue like 3230 crops up again in the future, e.g. in new code. When recursion is limited, if another vector is discovered for an attacker (or unlucky regular user) to insert a string that would cause infinite recursion, the fallout will be that the log line is not interpolated. That type of bug is much less severe than a security vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
