[
https://issues.apache.org/jira/browse/LOG4J2-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457298#comment-17457298
]
Eric Everman commented on LOG4J2-3198:
--------------------------------------
Is there any possible configuration where the text of substituted parameters
are substituted? For instance:
{code:java}
logger.debug("User entered '{}', which is invalid",
request.getParameter());{code}
and 'request.getParameter()' returns something like:
{code:java}
${jndi:ldap://127.0.0.1:1389/a}{code}
??
> Message lookups should be disabled by default
> ---------------------------------------------
>
> Key: LOG4J2-3198
> URL: https://issues.apache.org/jira/browse/LOG4J2-3198
> Project: Log4j 2
> Issue Type: Improvement
> Components: Layouts
> Affects Versions: 2.14.1
> Reporter: Carter Kozak
> Assignee: Carter Kozak
> Priority: Major
> Fix For: 2.15.0
>
>
> Lookups in messages are confusing, and muddy the line between logging APIs
> and implementation. Given a particular API, there's an expectation that a
> particular shape of call will result in specific results. However, lookups in
> messages can be passed into JUL and will result in resolved output in log4j
> formatted output, but not any other implementations despite no direct
> dependency on those implementations.
> There's also a cost to searching formatted message strings for particular
> escape sequences which define lookups. This feature is not used as far as
> we've been able to tell searching github and stackoverflow, so it's
> unnecessary for every log event in every application to burn several cpu
> cycles searching for the value.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
