You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/22 21:47:50 UTC

[GitHub] [logging-log4j2] carterkozak commented on pull request #649: Remove requirement of JndiLookup class to exist

carterkozak commented on pull request #649:
URL: https://github.com/apache/logging-log4j2/pull/649#issuecomment-999900777


   @riven8192 the repackaging plugins I'm aware of also match string constants and rewrite those when they match fully qualified class names. I believe that would work correctly with the implementation on release-2.x, however not all repacking scripts update strings, in which case we'd end up logging a warning to the StatusLogger in that codepath.
   
   > breaking the effectiveness of the patch, leaving the service/server vulnerable.
   
   I'm not sure that's entirely correct -- `JndiLookup` constructor checks the enablement property itself, and throws if jndi lookups haven't been explicitly turned on:
   https://github.com/apache/logging-log4j2/blob/a19ef9bceeaad862cfc0b50394a7f791d5e17b8c/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/JndiLookup.java#L46-L50
   
   This would cause a warning to be logged here:
   https://github.com/apache/logging-log4j2/blob/a19ef9bceeaad862cfc0b50394a7f791d5e17b8c/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L78-L87


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org