vy commented on issue #3794:
URL: 
https://github.com/apache/logging-log4j2/issues/3794#issuecomment-3031367853

   @ppkarwasz, agreed that `log4j2.configurationAllowedProtocols` was probably 
intended only for _external_ protocols – i.e., neither `file`, nor `classpath`. 
The title of the ticket delivered this feature hints in this direction too: 
[LOG4J2-3297: Disable remote loading of log4j configuration to prevent MiTM 
Attacks](https://issues.apache.org/jira/browse/LOG4J2-3297). That said,
   
   * non-external protocols are valid URL _protocols_ too, and hence, should be 
subject to same regulations.
   * `UrlConnectionFactory.DEFAULT_ALLOWED_PROTOCOLS` is set to `"https, file, 
jar"`, which is a mix of both external and internal protocols.
   
   I suggest the following
   
   1. Make it clear that `log4j2.configurationAllowedProtocols` is exercised 
for all configuration locations
   2. Match the implementations to do so: fix the inconsistencies across 
`createConnection()`
   3. Extend `DEFAULT_ALLOWED_PROTOCOLS` with `classpath`
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to