vy commented on pull request #630: URL: https://github.com/apache/logging-log4j2/pull/630#issuecomment-998746689
As @jvz noted in the mailing list: > I'll note here that the messages API isn't intended to be interpreted > the way that CVE-2021-44228 allowed. Messages are supposed to be used > for more structured logging such as map-based messages or syslog > messages and are used in audit logging. In this regard, messages are > intended to be safe and any deviation from that is considered a bug > (or security vulnerability if it affects the CIA triad). I am also inclined to avoid convoluting the API with implementation details. _Messages_ are safe, it is how the implementation deals with them which makes them unsafe. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
