Gamebuster19901 commented on a change in pull request #644:
URL: https://github.com/apache/logging-log4j2/pull/644#discussion_r775102029
##########
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java
##########
@@ -168,6 +168,11 @@
private static final int BUF_SIZE = 256;
+ /**
+ * The maximum number of recursions performed during substitution.
+ */
+ private static final int MAX_SUBSTITUTION_RECURSIONS = 10;
Review comment:
I disagree. If a developer needs a depth of more than 10, they should
rethink their design. I would remove the `MAX_SUBSTITUITION_RECURSIONS`
altogether and hardcode the value of `10` in `checkRecursionEventNotExceeded`.
Fields and system properties could potentially be modified by a malicious
actor, and set to something ridiculous like `-1` or `Integer.MAX_VALUE`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
