[
https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068627#comment-16068627
]
Brian Martin commented on LOG4J2-1959:
--------------------------------------
Can you clarify the potential attack vector? Can a lower privileged user upload
a configuration file or somehow inject a file into Log4J's process? Or is this
a "just in case" / defense-in-depth fix. I couldn't find a commit to look into
this more.
> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
> Key: LOG4J2-1959
> URL: https://issues.apache.org/jira/browse/LOG4J2-1959
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Affects Versions: 2.8.2
> Reporter: Mikael Ståldal
> Assignee: Mikael Ståldal
> Fix For: 2.9
>
>
> For security reasons, DTD processing should be disabled when parsing XML
> configuration files.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
