[
https://issues.apache.org/jira/browse/LOG4J2-3250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yanming Zhou updated LOG4J2-3250:
---------------------------------
Fix Version/s: 2.17.0
> Consider remove recursive replace for lookups
> ---------------------------------------------
>
> Key: LOG4J2-3250
> URL: https://issues.apache.org/jira/browse/LOG4J2-3250
> Project: Log4j 2
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.16.0
> Reporter: Yanming Zhou
> Priority: Major
> Labels: security
> Fix For: 2.17.0
>
>
> Log4j2 do recursive replace here:
> [https://github.com/apache/logging-log4j2/blob/0043e9238af0efd9dbce462463e0fa1bf14e35b0/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java#L1047]
> It's danger if variable value comes from user input.
> for example if we have pattern="${ctx:userAgent}" and put User-Agent to MDC,
> forged header 'User-Agent: ${sys:user.home}' will output actual user home not
> literal "${sys:user.home}", sensitive data may leak.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
