Agreed. I didn’t realize this feature existed like that until recently, and
it’s not worth salvaging.
Matt Sicker
> On Dec 11, 2021, at 09:25, Ralph Goers wrote:
>
> I agree. Remove it from master.
>
> Ralph
>
>> On Dec 11, 2021, at 7:42 AM, Carter Kozak wrote:
>>
>> Agreed that the featu
I agree. Remove it from master.
Ralph
> On Dec 11, 2021, at 7:42 AM, Carter Kozak wrote:
>
> Agreed that the feature should be purged entirely. I turned it off by default
> with no global enablement on release-2.x (shipped in 2.15).
>
> -ck
>
>> On Dec 11, 2021, at 09:13, Mikael Ståldal wro
Agreed that the feature should be purged entirely. I turned it off by default
with no global enablement on release-2.x (shipped in 2.15).
-ck
> On Dec 11, 2021, at 09:13, Mikael Ståldal wrote:
>
> I would say that log messages and log message parameter are as much (or as
> little) controlled
I would say that log messages and log message parameter are as much (or
as little) controlled by the application. I don't think it make sense to
see them differently from a security perspective.
Just as some code might do:
logger.info("some message {}", userInput);
Other code might do:
log
I think we have a misunderstanding, Remko. I indeed proposed removing *"message
lookups"*, that is, lookup interpolation in log messages. I don't want to
remove other usages of lookups.
In particular, as of date, message lookups are only used by PatternLayout.
Hence, my proposal is to remove them
I agree with Remko, we should not drop look ups altogether, they are too
useful. Dropping them from parameter parsing is ok at first glance.
Gary
On Fri, Dec 10, 2021, 05:50 Remko Popma wrote:
> I would say no. Lookups are very powerful and useful.
> We could consider removing JNDI lookups.
>
>
I would say no. Lookups are very powerful and useful.
We could consider removing JNDI lookups.
The biggest problem however is that the lookups are applied to the logging
message *parameters*.
The logging message is controlled by the application, so any lookups there
should be fine or at least any
Shall we completely remove message lookups (which are only used by
PatternLayout) in master?
