Here: https://logging.apache.org/log4j/2.x/manual/getting-started.html#best-practice-concat
They say this about using string concatenation in log4j:
More importantly, this approach is prone to attacks! Imagine userId
being provided by the user with the following content: placeholders
for non-existing args to trigger failure: {} {} {dangerousLookup}
Could someone explain why this is dangerous? I don’t get what string concatenation has to do with this "dangerousLookup" thing.
You need to sign in to view this answers
Leave feedback about this