You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by "Brian Martin (JIRA)" <ji...@apache.org> on 2017/06/29 17:04:00 UTC
[jira] [Commented] (LOG4J2-1959) Disable DTD processing in XML
configuration files
[ https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068627#comment-16068627 ]
Brian Martin commented on LOG4J2-1959:
--------------------------------------
Can you clarify the potential attack vector? Can a lower privileged user upload a configuration file or somehow inject a file into Log4J's process? Or is this a "just in case" / defense-in-depth fix. I couldn't find a commit to look into this more.
> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
> Key: LOG4J2-1959
> URL: https://issues.apache.org/jira/browse/LOG4J2-1959
> Project: Log4j 2
> Issue Type: Improvement
> Components: Configurators
> Affects Versions: 2.8.2
> Reporter: Mikael Ståldal
> Assignee: Mikael Ståldal
> Fix For: 2.9
>
>
> For security reasons, DTD processing should be disabled when parsing XML configuration files.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)