You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "Brian Martin (JIRA)" <ji...@apache.org> on 2017/06/29 17:04:00 UTC

[jira] [Commented] (LOG4J2-1959) Disable DTD processing in XML configuration files

    [ https://issues.apache.org/jira/browse/LOG4J2-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068627#comment-16068627 ] 

Brian Martin commented on LOG4J2-1959:
--------------------------------------

Can you clarify the potential attack vector? Can a lower privileged user upload a configuration file or somehow inject a file into Log4J's process? Or is this a "just in case" / defense-in-depth fix. I couldn't find a commit to look into this more.

> Disable DTD processing in XML configuration files
> -------------------------------------------------
>
>                 Key: LOG4J2-1959
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1959
>             Project: Log4j 2
>          Issue Type: Improvement
>          Components: Configurators
>    Affects Versions: 2.8.2
>            Reporter: Mikael Ståldal
>            Assignee: Mikael Ståldal
>             Fix For: 2.9
>
>
> For security reasons, DTD processing should be disabled when parsing XML configuration files.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)