carterkozak commented on pull request #649: URL: https://github.com/apache/logging-log4j2/pull/649#issuecomment-999900777
@riven8192 the repackaging plugins I'm aware of also match string constants and rewrite those when they match fully qualified class names. I believe that would work correctly with the implementation on release-2.x, however not all repacking scripts update strings, in which case we'd end up logging a warning to the StatusLogger in that codepath. > breaking the effectiveness of the patch, leaving the service/server vulnerable. I'm not sure that's entirely correct -- `JndiLookup` constructor checks the enablement property itself, and throws if jndi lookups haven't been explicitly turned on: https://github.com/apache/logging-log4j2/blob/a19ef9bceeaad862cfc0b50394a7f791d5e17b8c/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java#L46-L50 This would cause a warning to be logged here: https://github.com/apache/logging-log4j2/blob/a19ef9bceeaad862cfc0b50394a7f791d5e17b8c/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L78-L87 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
