vy commented on issue #3794: URL: https://github.com/apache/logging-log4j2/issues/3794#issuecomment-3031367853
@ppkarwasz, agreed that `log4j2.configurationAllowedProtocols` was probably intended only for _external_ protocols – i.e., neither `file`, nor `classpath`. The title of the ticket delivered this feature hints in this direction too: [LOG4J2-3297: Disable remote loading of log4j configuration to prevent MiTM Attacks](https://issues.apache.org/jira/browse/LOG4J2-3297). That said, * non-external protocols are valid URL _protocols_ too, and hence, should be subject to same regulations. * `UrlConnectionFactory.DEFAULT_ALLOWED_PROTOCOLS` is set to `"https, file, jar"`, which is a mix of both external and internal protocols. I suggest the following 1. Make it clear that `log4j2.configurationAllowedProtocols` is exercised for all configuration locations 2. Match the implementations to do so: fix the inconsistencies across `createConnection()` 3. Extend `DEFAULT_ALLOWED_PROTOCOLS` with `classpath` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org