ppkarwasz commented on PR #3795: URL: https://github.com/apache/logging-log4j2/pull/3795#issuecomment-3032388570
> If I am not mistaken, one even can classify this as a vulnerability with sufficient imagination: _"I had this malicious _resource_ in my classpath, containing a malicious Log4j configuration, I've upgraded to `2.26.0`, and now this malicious configuration starts getting loaded!"_ If an attacker has already gained the ability to place a malicious resource in the classpath, the system has already been compromised. > AFAIK, there is no such `USH` in JDK and this is a `USH` provided by Spring. Hence, this makes this fix Spring-only, which I am reluctant to make available for everyone. The `URLStreamHandler` for the `resource:` protocol is actually provided by the GraalVM runtime, not Spring Boot. That said, I understand your concerns about allowing a protocol whose semantics are not fully defined. In 0f1af39dcb86a4e88f683d726f3dc2e4aa527284, I introduced a helper method, `SystemUtils.isGraalVm()`, which ensures that the `resource` protocol is only added when running in a GraalVM environment. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
