ppkarwasz opened a new pull request, #4144: URL: https://github.com/apache/logging-log4j2/pull/4144
Fixes #4064. ## Summary This PR makes XInclude support in XML configurations **opt-in** and reworks the XML hardening, addressing the security-hardening request in #4064. ### 1. XInclude is now disabled by default XInclude processing is no longer enabled unconditionally. It can be turned on with the `log4j2.configurationEnableXInclude` property. Since enabling XInclude is now an explicit user choice, a failure to activate `setXIncludeAware` is no longer silently ignored, and XML parse errors now propagate as a `ConfigurationException` instead of leaving a half-built configuration. ### 2. Hardening delegated to `copernik-xml-factory` The hand-rolled JAXP hardening code is replaced with the [`eu.copernik:copernik-xml-factory`](https://github.com/copernik-eu/copernik-xml-factory) library (an incubating project intended for Apache Commons or Xerces). It applies the security features supported by the actual factory implementation rather than swallowing the ones it does not support, and provides Android support out of the box. ### 3. XInclude/entity resolution through `ConfigurationSource` A custom `EntityResolver` based on `ConfigurationSource.fromUri` resolves external entities and XInclude resources the same way the configuration itself is resolved. As a result, includes now benefit from Log4j URI conventions, in particular the `classpath:` scheme (for example, to pull in a default configuration shipped on the classpath, as Spring Boot does), which was not possible before, and they honor the `log4j2.configurationAllowedProtocols` restrictions. ## Notes The `XmlConfigurationSecurity` test was being silently skipped by Surefire because its class name did not end in `Test`; it is renamed to `XmlConfigurationSecurityTest` and updated to the new behavior. ## Checklist * [x] Base your changes on `2.x` branch * [x] `./mvnw verify` succeeds * [x] Non-trivial changes contain an entry file in the `src/changelog/.2.x.x` directory * [x] Tests are provided -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
