mimaison commented on code in PR #17920:
URL: https://github.com/apache/kafka/pull/17920#discussion_r1867575527
##########
docs/configuration.html:
##########
@@ -302,6 +302,22 @@ <h4><a
id="org.apache.kafka.disallowed.login.modules"></a><a id="systempropertie
<tr><th>Default
Value:</th><td>com.sun.security.auth.module.JndiLoginModule</td></tr>
</tbody></table>
</li>
+ <li>
+ <h4><a id="org.apache.kafka.automatic.config.providers"></a><a
id="systemproperties_org.apache.kafka.automatic.config.providers"
href="#systemproperties_org.apache.kafka.automatic.config.providers">org.apache.kafka.automatic.config.providers</a></h4>
+ <p>This system property controls the automatic loading of ConfigProvider
implementations in Apache Kafka. ConfigProviders are used to dynamically supply
configuration values from sources such as files, directories, or environment
variables. This property accepts a comma-separated list of ConfigProvider
names. By default, all built-in ConfigProviders are enabled, including
<b>FileConfigProvider</b>, <b>DirectoryConfigProvider</b>, and
<b>EnvVarConfigProvider</b>.</p>
+ <p>If users want to disable all automatic ConfigProviders, they need to
explicitly set the system property as shown below. Disabling automatic
ConfigProviders is recommended in environments where configuration data comes
from untrusted sources or where increased security is required. For more
details, see <a
href="https://nvd.nist.gov/vuln/detail/CVE-2024-31141";>CVE-2024-31141</a>.</p>
Review Comment:
Should we link to https://kafka.apache.org/cve-list#CVE-2024-31141 instead?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
