Hi Volkan, It's not just about exchanging data between systems - that is just one particular instance of a larger problem. If you use a pattern layout for _any_ reason, it is currently extremely inconvenient to configure securely. If you use a structured layout, again for any reason, it's still inconvenient to configure securely, though indeed less so than a pattern layout. My understanding is that not everyone can, will, or should always use a structured layout over a pattern layout. For entertainment, I have collected some layout statistics, which I include below.
For the pattern layout case, I have prototyped improved encoders that can be used with log4j. The code has already been shared with you, though it will obviously need (lots of) discussion. I am happy to continue discussing the topic / working on the code with anyone who finds it worthwhile. Thanks, Vladimir Statistics: The dataset is certainly debatable, but it's the best one I have. Out of the top 1000 starred Java repositories on GitHub, 89 contain a file log4j2.xml with at least one element matching .*Layout. Out of these 89 repos, every single one defines at least one pattern layout. Only two repos out of 89 define a layout that is not a pattern layout: one repo a JSONLayout and one a StackdriverLayout. -----Original Message----- From: Volkan Yazıcı <vol...@yazi.ci> Sent: Wednesday, 11 October 2023 11:32 To: dev@logging.apache.org Subject: Re: [log4j] Improving log4j security Your use case sounds to me as follows: "I want to use `PatternLayout` for exchanging data between two systems and ... [it is insecure.]" (Please correct me if I am wrong.) My answer is: "Don't". `PatternLayout` is not designed to be machine-readable. If I am not mistaken, there is not even a standard format for stack traces. Consider ones generated from exceptions containing messages with newline characters. How are you gonna deal with parsing those? Or thread names, custom levels, custom markers, etc. with a newline? My point is, don't use `PatternLayout` for exchanging data between systems. For that purpose, we recommend using structured layouts, e.g., `JsonTemplateLayout`. ELK, Splunk, Datadog, NewRelic, etc. they all accept JSON. In conclusion, I recommend you to use JTL for publishing logs to other systems. If you have `PatternLayout` [encoder?] enhancements that we can incorporate in a backward-compatible way, please share.
