vy commented on PR #2773:
URL: https://github.com/apache/logging-log4j2/pull/2773#issuecomment-2254144407
> the `useRawMessage` attribute of `RegexFilter` does not make much sense,
since it uses `getFormat()`.
This is a difficult one. That is, I can understand the rationale behind
`useRawMessage`:
1. Efficiency (no need to format parameters)
2. Avoiding ambiguity – For instance, given logging statements
`LOGGER.info("foo {}", userProvidedField)` and `LOGGER.info("foo bar")`, how
can I only match the latter without using `useRawMessage`? That is, a malicious
user can pass `userProvidedField` as `bar`.
In short, `useRawMessage` has value, but it is implemented incorrectly, IMO.
Instead, I think, we should have introduced a `RegexFilterableMessage` contract
and implement it in certain message types. Since this is rather a big
undertaking, for the time being, I have improved `RegexFilter` in
33373f90e18b5b64d51f53ac338e221de506c4de to specialize on certain message
types. @ppkarwasz, is this okay with you?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
