in reply to Re^2: Log4Shell and Log::Log4perl
in thread Log4Shell and Log::Log4perl

If you can modify the config, you can modify the rest of the application.
True in Perl, Python, Javascript etc., not necessary in Java, C++, etc. - or at least harder. It boils down to proper access permissions and running the application always with least privileges.

The core of Log4Shell is the unexpected or little known behaviour of the library to contact remote services. Usually, I would expect from a configuration file to hold static read only data, not fractions of code that could be executed - and that's also unexpected or little known Log::Log4perl behaviour.

Replies are listed 'Best First'.
Re^4: Log4Shell and Log::Log4perl
by etj (Chaplain) on Dec 26, 2021 at 01:39 UTC
    True in Perl

    Do we agree that Log::Log4perl is Perl, though?

    unexpected or little known Log::Log4perl behaviour

    This doesn't seem to acknowledge your previous point that it's true in Perl.