[reload4j] SQL injection problem in JDBCAppender

Robert Olofsson unlogic at unlogic.se
Wed Jan 19 09:44:07 CET 2022


Hi,

I think that's a sensible suggestion.

Those who need that functionality could always add a JDBCAppender of their own separately.

/Robert
--  _______________________________________
Robert Olofsson, Sweden

http://www.unlogic.se

On January 19, 2022 9:38:04 AM GMT+01:00, "Ceki Gülcü" <ceki at qos.ch> wrote:
>
>Hi All,
>
>JDBCAppender uses simple strings instead of java.sql.Statement to talk
>to the database. This creates a vulnerability point for SQL injection
>attacks.
>
>Fixing this vulnerability in JDBCAppender (a rarely used component) in a
>backward compatible way would be a lot of work for very little or no
>benefit.
>
>S such, I propose to remove JDBCAppender from reload4j with no replacement.
>
>Any objections?
>
>-- 
>Ceki Gülcü
>
>Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
>_______________________________________________
>reload4j mailing list
>reload4j at qos.ch
>http://mailman.qos.ch/cgi-bin/mailman/listinfo/reload4j
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.qos.ch/pipermail/reload4j/attachments/20220119/607b5820/attachment.html>


More information about the reload4j mailing list