14 Dec
2021
14 Dec
'21
5 p.m.
On Mon, 13 Dec 2021 21:14:09 +1300, I wrote:
But one thing you should never, ever do is, having substituted some text from some random source (e.g. user input), go back and scan that text for format substitution codes. But that is what the buggy code does.
Turns out the “feature” could not be removed because of concerns for backward compatibility, according to <https://www.theregister.com/2021/12/14/log4j_vulnerability_open_source_funding/>. That article also describes a situation reminiscent of OpenSSL when the Heartbleed bug was discovered, namely that the project has been limping along on a shoestring for years, while lots of large companies are profiting from, and have become crucially dependent on, their work.