carterkozak commented on pull request #644:
URL: https://github.com/apache/logging-log4j2/pull/644#issuecomment-1000927711
When the recursion limit is hit, it's not clear whether we should return the
original string, or avoid recursing further.
Consider `java version: ${java:version}, recursive value: ${[assume >10
layers of recursion]}`
Should we return the input: `java version: ${java:version}, recursive value:
${[assume >10 layers of recursion]}`
Or the pieces that we could successfully replace? `java version: 11.0.11,
recursive value: ${[assume >10 layers of recursion]}`
Throwing is a bit different, prior to 2.17 where we added try/catch to
StrSubstitutor it would prevent entire log events from being recorded, which
probably isn't what we want. If this is called using a path which doesn't
handle the exception, the case where depth is greater than the limit but less
than the jvm max stack depth is worse off. I don't expect that case to be
common.
I'm in favor of defense in depth, I also want to make sure that we're not
adding complexity that unintentionally hinders our ability to maintain and
secure this component :-)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
