I searched ${ctx:somekey} in the log4j-config.xsd file but could not
find anything .
Is that means that is enough If we upgrade to 2.17 or just remove the
class file?
Quoting Ralph Goers :
Removing JndiLookup helps by preventing the JNDI attack. You
absolutely need to do this if you do no
Exact plain string (Non regex) to search would be
"${ctx"
"somekey" is a placeholder for name of variable.
On Mon, 20 Dec, 2021, 16:29 , wrote:
> I searched ${ctx:somekey} in the log4j-config.xsd file but could not
> find anything .
> Is that means that is enough If we upgrade to 2.17 or just r
Is that your means have to search "${ctx" in Log4j-config.xsd file ?
Would you say exactly what parameters need to remove from
Log4j-config.xsd file?
Quoting Tushar Kapila :
Exact plain string (Non regex) to search would be
"${ctx"
"somekey" is a placeholder for name of variable.
On Mon,
I cannot understand what does this mean
Otherwise, in the configuration, remove references to Context Lookups
like ${ctx:loginId} or $${ctx:loginId} where they originate from
sources external to the application such as HTTP headers or user input.
1- Would you say what should I do exactly ?
