What is your point even? That open source has bugs? The closed source does not have such bugs?

You won't have that bug if the logger isn't trying to talk to some ldap server.

It's not even about open source or closed source at this point. It's about feature creep.

It's not talking to an LDAP server, it's the functionality for talking to an LDAP server that is causing the issue. Even if you don't need LDAP you're still vulnerable when a client can inject information in a log message.

Why is this functionality needed in the first place? I want to write log, some kind of string, into some kind of files, with rotation, maybe even send it somewhere that expect logs.

Why parse whatever is in the logs, at all?

Imagine the same stuff in your SSH client, it would parse the content before sending them over because a functionality requires it to talk to some server somewhere, it's insanity.

Log4j contains a very big collection of extensions for just about anything including inserting data from various sources. Of course it's overkill for lots of situation, but nobody ever uses all functionality. It's just that nobody can agree on which functionality is useless ;)

Indeed a software used by thousands of commercial products and millions of enterprise applications with ZERO dollar support from either must be maintained at perfect, bug free level by lazy volunteers. Because internet demands it.

Would it even be possible to create today's software ecosystems by mandating all libraries are maintained and supported to the strictest standards?

That would be the end of open source, hobbyists and startup companies because you'd have to pay up just to have a basic C library (or hope some companies would have reasonable licensing and support fees).

Remember one of the first GNU projects was GCC because a compiler was an expensive, optional piece of software on the UNIX systems in those days.

That would be the end of the software industry. No company outside of aerospace and medical devices is capable of delivering this and I even have my doubts about those two, though at least they are trying.

It was enshittification. A logging framework that looks up LDAP servers? Why?

Adding extra features that aren't necessarily needed is enshittification, and very not-unix.

It's not really added functionality, more unintended consequences of too much flexibility. Java contains JNDI (Java naming & directory interface), a very unified 'directory' system for all kinds of configuration of which LDAP is just one of the backend implementation options. The key issue is you can call into other objects which is unwise to do when used with untrusted user input.

> The key issue is you can call into other objects which is unwise to do when used with untrusted user input.

This, and while in this case it is specifically unwise on security terms, there are plenty of other example where the feature are completely cosmetic and deviates from the core user requirements/scenario.