This isn't because Log4j is doing anything wrong; this is because of increased scrutiny and eyeballs.
I do not envy the team having to work under this microscope :(
Conversation
Replying to
Certainly they’re not doing anything newly wrong, but in general having eval() in any logging library would have people aghast if it was newly created now. Sadly it slipped by unnoticed for years
1
9
Replying to
It was a deliberate "feature" they had to keep around for backwards compatibility :( they knew it was risky but previously didn't feel they could break it
4
11
Replying to
That’s what major versions are for though. Deprecate the feature in log4j 2.x pending its removal and add warnings at startup. Remove the feature in 3.x
3
9
The string interpolation feature wasn't present in log4j1 and adding it was one of many breaking changes going from log4j1 to the substantially different log4j2 API.
It wasn't a legacy feature and log4j2 isn't a continuation of log4j1 but rather a rewrite with the same brand.
Show additional replies, including those that may contain offensive content
Show