ppkarwasz commented on issue #3526: URL: https://github.com/apache/logging-log4j2/issues/3526#issuecomment-2711398405
@Eccenux, Can you add your Log4j Core configuration file? Are you using a custom layout? Is the standard output of your application directly connected to a terminal or is it interpreted by a shell? Standard Log4j Core [layouts](https://logging.apache.org/log4j/2.x/manual/layouts.html) and [message factories](https://logging.apache.org/log4j/2.x/manual/extending.html#MessageFactory) do **not** expand `*` globs in neither the message format nor the parameters. However, this does not exclude the possibility of a third-party layout doing that. > Seems like a star character ("*") is expanded into a directory listing. Might be a security I guess, but I don't think so. It's definitely an annoyance. Whenever you suspect that a bug might be a security vulnerability, please [follow our vulnerability reporting process](https://logging.apache.org/security.html#reporting) instead of opening public PRs. Your bug is not reproducible using [`PatternLayout`](https://logging.apache.org/log4j/2.x/manual/pattern-layout.html) (which is what you probably use), but if it was reproducible it would be a mild vulnerability. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
