This is an automated email from the ASF dual-hosted git repository. pkarwasz pushed a commit to branch fix/2.x/3790_allow-resource-protocol in repository https://gitbox.apache.org/repos/asf/logging-log4j2.git
commit 084a636bdc6f60f69311319ba290013f55cca6ad Author: Piotr P. Karwasz <[email protected]> AuthorDate: Tue Jul 1 13:31:34 2025 +0200 fix: Add `resource:` protocol to allowed URL schemes by default This update includes `resource:` in the list of allowed URL schemes for retrieving configuration files. See [`log4j2.configurationAllowedProtocols`](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.configurationAllowedProtocols) Currently, the `resource:` protocol is used exclusively by a `URLStreamHandler` that retrieves files from the embedded resources in a GraalVM native image. This makes it a secure and appropriate source for trusted configuration files. This change cannot be easily and reliably tested through a unit test. An integration test will be provided in apache/logging-log4j-samples#345 Closes #3790 --- .../logging/log4j/core/net/UrlConnectionFactory.java | 18 +++++++++++++++++- src/changelog/.2.x.x/3790_allow-resource-protocol.xml | 12 ++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java index e6ba2a1366..1f1b6d5a2a 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/UrlConnectionFactory.java @@ -51,7 +51,23 @@ public class UrlConnectionFactory { private static final String HTTP = "http"; private static final String HTTPS = "https"; private static final String JAR = "jar"; - private static final String DEFAULT_ALLOWED_PROTOCOLS = "https, file, jar"; + /** + * Default list of protocols that are allowed to be used for configuration files and other trusted resources. + * <p> + * By default, we trust the following protocols: + * <dl> + * <dt>file</dt> + * <dd>Local files</dd> + * <dt>https</dt> + * <dd>Resources retrieved through TLS to guarantee their integrity</dd> + * <dt>jar</dt> + * <dd>Resources retrieved from JAR files</dd> + * <dt>resource</dt> + * <dd>Resources embedded in a GraalVM native image</dd> + * </dl> + */ + private static final String DEFAULT_ALLOWED_PROTOCOLS = "file, https, jar, resource"; + private static final String NO_PROTOCOLS = "_none"; public static final String ALLOWED_PROTOCOLS = "log4j2.Configuration.allowedProtocols"; diff --git a/src/changelog/.2.x.x/3790_allow-resource-protocol.xml b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml new file mode 100644 index 0000000000..53d918f497 --- /dev/null +++ b/src/changelog/.2.x.x/3790_allow-resource-protocol.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<entry xmlns="https://logging.apache.org/xml/ns"; + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation=" + https://logging.apache.org/xml/ns + https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"; + type="fixed"> + <issue id="3790" link="https://github.com/apache/logging-log4j2/issues/3790"/> + <description format="asciidoc"> + Allow `resource:` protocol for configuration files by default. + </description> +</entry>
