You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/25 03:19:02 UTC

[GitHub] [logging-log4j2] Gamebuster19901 commented on a change in pull request #644: LOG4J2-3259: Limit max recursion depth when interpolating strings.

Gamebuster19901 commented on a change in pull request #644:
URL: https://github.com/apache/logging-log4j2/pull/644#discussion_r775102029



##########
File path: log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/StrSubstitutor.java
##########
@@ -168,6 +168,11 @@
 
     private static final int BUF_SIZE = 256;
 
+    /**
+     * The maximum number of recursions performed during substitution.
+     */
+    private static final int MAX_SUBSTITUTION_RECURSIONS = 10;

Review comment:
       I disagree. If a developer needs a depth of more than 10, they should rethink their design. I would remove the `MAX_SUBSTITUITION_RECURSIONS` altogether and hardcode the value of `10` in `checkRecursionEventNotExceeded`. Fields and system properties could potentially be modified by a malicious actor, and set to something ridiculous like `-1` or `Integer.MAX_VALUE`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org