[ 
https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16360715#comment-16360715
 ] 

Dawid Weiss commented on LOG4J2-1959:
-------------------------------------

Perhaps I don't understand log4j2 enough, but this issue hit us recently. We 
have multiple configurations corresponding to different "levels" of logging 
verbosity. These (XML) configurations reused large fragments of loggers and 
appender configs using entity inclusion from shared files. This no longer works 
and is (quietly) ignored, resulting in a different behavior (parts of previous 
configuration silently ignored).

Unfortunately xinclude is not a solution because those "shared" XMLs contained 
only fragments of the final XML (say, configuration for a few loggers, not all 
of them), and they didn't have a proper root XML tag (so cannot be included). I 
had some hopes for xpointer, but no luck (xpointer never really caught on).

> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
>                 Key: LOG4J2-1959
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1959
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>    Affects Versions: 2.8.2
>            Reporter: Mikael Ståldal
>            Assignee: Mikael Ståldal
>            Priority: Major
>             Fix For: 2.9.0
>
>
> For security reasons, DTD processing should be disabled when parsing XML 
> configuration files.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to