ppkarwasz commented on a change in pull request #784:
URL: https://github.com/apache/logging-log4j2/pull/784#discussion_r819783961
##########
File path:
log4j-core/src/main/java/org/apache/logging/log4j/core/config/ConfigurationSource.java
##########
@@ -370,21 +362,8 @@ public static ConfigurationSource fromResource(final
String resource, final Clas
private static ConfigurationSource getConfigurationSource(URL url) {
try {
- URLConnection urlConnection = url.openConnection();
- // A "jar:" URL file remains open after the stream is closed, so
do not cache it.
- urlConnection.setUseCaches(false);
- AuthorizationProvider provider =
ConfigurationFactory.authorizationProvider(PropertiesUtil.getProperties());
- provider.addAuthorization(urlConnection);
- if (url.getProtocol().equals(HTTPS)) {
- SslConfiguration sslConfiguration =
SslConfigurationFactory.getSslConfiguration();
- if (sslConfiguration != null) {
- ((HttpsURLConnection)
urlConnection).setSSLSocketFactory(sslConfiguration.getSslSocketFactory());
- if (!sslConfiguration.isVerifyHostName()) {
- ((HttpsURLConnection)
urlConnection).setHostnameVerifier(LaxHostnameVerifier.INSTANCE);
- }
- }
- }
File file = FileUtils.fileFromUri(url.toURI());
+ URLConnection urlConnection =
UrlConnectionFactory.createConnection(url);
Review comment:
This adds the protection against downloading from HTTP links introduced
LOG4J2-3297.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
