zstan commented on code in PR #13221:
URL: https://github.com/apache/ignite/pull/13221#discussion_r3436997517
##########
modules/core/src/main/java/org/apache/ignite/IgniteSystemProperties.java:
##########
@@ -1967,6 +1967,15 @@ public final class IgniteSystemProperties extends
IgniteCommonsSystemProperties
@SystemProperty(value = "Packages list to expose in configuration view")
public static final String IGNITE_CONFIGURATION_VIEW_PACKAGES =
"IGNITE_CONFIGURATION_VIEW_PACKAGES";
+
+ /**
+ * System property to allow remote HTTP/HTTPS URLs when loading Spring XML
configuration.
+ * Remote URLs are blocked by default to prevent RCE via
attacker-controlled Spring XML.
+ * FTP is always blocked regardless of this property due to MITM risk.
+ */
+ @SystemProperty(value = "Allow remote HTTP/HTTPS URLs when loading Spring
XML configuration")
+ public static final String IGNITE_ALLOW_REMOTE_SPRING_CFG_URL =
"ignite.spring.cfg.allowRemoteUrl";
Review Comment:
seems also need to cover this flag usage in tests ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
