ppkarwasz opened a new pull request, #1885:
URL: https://github.com/apache/logging-log4j2/pull/1885
We change the order in which `FormattedMessage` checks the format of the
provided pattern: we first check for the presence of `{}` placeholders and only
then for `java.util.Format` specifiers.
This eliminates the need for a potentially exponential regular expression
evalutation, which was reported by Spotbugs (#1849).
The Javadoc and documentation were improved to clarify the heuristic used by
`FormattedMessage`.
Closes #1223.
Remark: since `FormattedMessage` used the **same** regular expression as
`java.util.Format`, if a message uses `java.util.Format` specifiers, it is
still vulnerable to a ReDOS.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
