vy commented on PR #3795: URL: https://github.com/apache/logging-log4j2/pull/3795#issuecomment-3031463576
> `resource:` protocol is used exclusively by a `URLStreamHandler` I have some concerns regarding this change: * This introduces a behavioral change. If I am not mistaken, one even can classify this as a vulnerability with sufficient imagination: _"I had this malicious _resource_ in my classpath, containing a malicious Log4j configuration, I've upgraded to `2.26.0`, and now this malicious configuration starts getting loaded!"_ * AFAIK, there is no such `USH` in JDK and this is a `USH` provided by Spring. Hence, this makes this fix Spring-only, which I am reluctant to make available for everyone. Can we instead fix this in the upstream, i.e., Spring Boot itself? If we can, I understand that this will only apply to users using the latest and greatest Spring Boot – though we can detail this document and share the `log4j2.configurationAllowedProtocols` workaround in the installation guide. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
