ppkarwasz opened a new pull request, #4161:
URL: https://github.com/apache/logging-log4j2/pull/4161

   ## Summary
   
   > [!NOTE]
   >
   >Stacked on #4158 (`feat/2.x/xinclude-opt-in`). Routes every external 
resource an XML configuration references through `ConfigurationSource`, the 
same way the configuration file itself is resolved.
   
   A single `ConfigurationSourceResolver` (implementing `EntityResolver` + 
`LSResourceResolver`) resolves:
   
   - `xi:include` targets,
   - the validation schema (the `schema` attribute), and
   - the schema's own `xsd:include`/`xsd:import` resources.
   
   As a result, all of them support the Log4j URI conventions (such as the 
`classpath:` scheme) and are subject to the 
`log4j2.configurationAllowedProtocols` restrictions, limiting the blast radius 
of a (trusted) configuration.
   
   ## Behavior changes
   
   - A schema validation failure, or a resource rejected by the resolver (for 
example a sub-schema fetched over a disallowed protocol), now fails the 
configuration with a `ConfigurationException` instead of only logging.
   
   ## Notes
   
   - Schema validation remains a configuration-authoring aid, not a security 
control: per the threat model the configuration file is trusted. The 
`ConfigurationSource` / `ALLOWED_PROTOCOLS` routing is defense-in-depth within 
that single trusted tier.
   - Tests (`XmlConfigurationSchemaTest`): a conforming config validates, a 
`File` appender is rejected by a `Console`-only schema, and an `http` 
sub-schema include is blocked by `ALLOWED_PROTOCOLS`; plus the existing 
XInclude tests.
   
   The changelog entry's `<issue>` will be set to this PR number once assigned.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to