The GitHub Actions job "Java CI" on commons-configuration.git/fix/file-location-strategy-protocols has succeeded. Run started by GitHub user ppkarwasz (triggered by ppkarwasz).
Head commit for run: 4b13c5ce9106a8514a9ad8f2d65cf8a67407cb84 / Piotr P. Karwasz <[email protected]> Extend scheme validation to inner schemes of jar: URLs Builds on #633 by recursively validating the inner URL of a jar: URL against the same scheme and host allow-lists. This deliberately changes the previous semantics: for `jar:http://host/...` to be accepted, both `jar` and `http` must appear in the allow-list, and the inner host must satisfy the host allow-list. An alternative considered was the grammar documented by [`XMLConstants`](https://docs.oracle.com/en/java/javase/25/docs/api/java.xml/javax/xml/XMLConstants.html), where tokens like `jar:file` or `jar:http` would explicitly allow specific inner schemes. That grammar is documented but not honored by the JDK reference implementation: `jdk.xml.internal.SecuritySupport.checkAccess` (verified on JDK 8, 17 and 25) strips the `jar:` prefix and matches only the inner scheme as a bare token, so a `jar:http` entry in the allow-list never matches anything. Aligning with the documented spec would have added marginal expressiveness at the cost of diverging from what JDKs actually do. Report URL: https://github.com/apache/commons-configuration/actions/runs/25729009623 With regards, GitHub Actions via GitBox
