Log4J: I have not seen anyone mention yet that: the fact that the feature was created with "LOG4J_FORMAT_MSG_NO_LOOKUPS=true" as an option.... meant that someone in the past might've thought this might be an issue in the future.

Very interesting.

· · Web · 1 · 0 · 1

@mdm I'd guess they were thinking of other things than security though, like 'increase performance somewhat by skipping looking for lookups' or 'I actually want this thing that looks like a lookup to be logged verbatim'

@raboof But this is a global option, right? I'm currently setting it right now at the environment level. It seems to be more an option, not for individual use cases, but "do not use this feature in this entire application, ever."

Sign in to participate in the conversation
McNamarii Town

This is a private mastodon server for members of the Team McNamara Group.