Hi Daniel, The plan is to disable lookups in log messages completely in the next Log4j release. If you can tell us your concrete use case we may be able to advise on how to implement it safely.
Lookups in configuration will continue to work (but JNDI will require an extra setting to be enabled). On Mon, Dec 13, 2021 at 16:40 Dash a <daniel.ashken...@gmail.com> wrote: > Hello, > Sorry to strom in for a disscusion that probably happened internally but > correct me if I am wrong the solution offered doesn't seems to fix the > original issue which appear to be due to lack of sanitization but rather > disable it by default > > This seems a bit lacking if it is the case as if some software happen to > have a use case for the feature they will be forced to apply each his own > variant solution and otherwise can be accessed by other vulnerabilities. > > Hope you could verify regarding those concerns > Daniel >
